Re: How best to copy all UNIX files one z/OS to another

2020-11-06 Thread kekronbekron
A fellow wombat fan!

- KB

‐‐‐ Original Message ‐‐‐
On Saturday, November 7, 2020 3:54 AM, Paul Gilmartin 
<000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Fri, 6 Nov 2020 13:44:08 -0800, Charles Mills wrote:
>
> > > Why use "*" (which caused you problems previously) rather than "."
> >
> > Not clear on the difference. See "not a UNIX professional." Did * cause me 
> > problems? I thought it was a file named -x that caused the problems. 
> > Deleting the file named -x sure solved the problem!
>
> The "*" was a co-conspirator. A contrived example -- in directory:
> 597 $ ls -alN # (GNUism)
> total 24
> -rw-r--r-- 1 paulgilm paulgilm 32 Nov 6 15:04 --
> drwxr-xr-x 2 paulgilm paulgilm 4096 Nov 6 15:04 .
> drwxr-xr-x 4 paulgilm paulgilm 4096 Nov 6 14:58 ..
> -rw-r--r-- 1 paulgilm paulgilm 32 Nov 6 15:04 !wombat
> -rw-r--r-- 1 paulgilm paulgilm 32 Nov 6 15:04 -wombat
> -rw-r--r-- 1 paulgilm paulgilm 32 Nov 6 15:04 .wombat
>
> This may be what you want (the "./" are superfluous):
> 598 $ pax -vw . >/dev/null
> .
> ./--
> ./-wombat
> ./!wombat
> ./.wombat
> pax: ustar vol 1, 5 files, 0 bytes read, 10240 bytes written.
>
> You may not want this (beware shell expansion!):
> 599 $ pax -vw * >/dev/null
> !wombat
> -wombat
> pax: ustar vol 1, 2 files, 0 bytes read, 10240 bytes written.
>
> > I took care to put the archive outside of the archived path. Not THAT dumb. 
> > 
>
> Likewise, what happens if you IEBCOPY unload a PDS into one of its own 
> members?
>
> -- gil
>
> 
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: JES2 Policies

2020-11-05 Thread kekronbekron
Is it an option to ask how they managed this in the source site?

- KB

‐‐‐ Original Message ‐‐‐
On Thursday, November 5, 2020 10:51 AM, Gadi Ben-Avi  wrote:

> Hi Everone.
> Thanks for responding.
>
> We 'purchased' a system from another site.
> The jobs that came with the system do not have a CLASS parameter specified.
> They do have specific values in the accounting fields that are supposed to 
> assign the job to specific classes.
> I assume they had an exit that did all of this.
>
> Up until now, all of the jobs ran in the same class, with the same service 
> class.
> I've been asked to assign a lower service class to jobs that have a specific 
> (not specified as yet) value in the accounting data.
>
> The simplest way would have been to tell the job owners to code a CLASS 
> parameter on the JOB card, but they say that that is too much work.
>
> I looked at doing this using WLM definitions.
> It works if the value in the accounting data is in the first 8 bytes.
> Otherwise, it get complicated to write, debug, and read.
>
> I read about JES2 Policies, so I looked it up in the documentation.
>
> Gadi
>
> -Original Message-
> From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> Jesse 1 Robinson
> Sent: Wednesday, November 4, 2020 10:05 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: JES2 Policies
>
> In a previous life at the late great Security Pacific, we an elaborate scheme 
> based on account numbers. Even the job name was generated from account 
> number. To control all this, we had a VSAM file containing all valid account 
> numbers along with indications of who could submit jobs with each number. An 
> array of JES2 and SMF exits were employed to make all this work. At the end 
> of the year, account numbers were used for chargeback to respective 
> departments for resource usage.
>
> There is no way in h*ll I would recommend this complex scheme for a modern 
> shop. But yes, with enough time and $$, it can be done.
>
> .
> .
> J.O.Skip Robinson
> Southern California Edison Company
> Electric Dragon Team Paddler
> SHARE MVS Program Co-Manager
> 323-715-0595 Mobile
> 626-543-6132 Office ⇐=== NEW
> robin...@sce.com
>
> -Original Message-
> From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> Lizette Koehler
> Sent: Wednesday, November 4, 2020 10:53 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: (External):Re: JES2 Policies
>
> *** EXTERNAL EMAIL - Use caution when opening links or attachments ***
>
> Initial Request:
> The current goal is to change a job's class or service class depending on 
> certain values in the accounting information.
>
> It also seems to me that a JCL tool, Like JCLPLUS could put rules into JCL 
> Scanning and force users to adhere to a standard. But that would mean you 
> have a Source management system that is used to deploy Jobs to various 
> systems.
>
> It could have rules that say, if Account Code is this, then the job should 
> have Service Class STCLOW and CLASS X
>
> Lizette
>
> -Original Message-
> From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> Allan Staller
> Sent: Wednesday, November 4, 2020 11:35 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: JES2 Policies
>
> Wouldn't RACF jobclass controls be more appropriate?
>
> -Original Message-
> From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of Joe 
> Monk
> Sent: Wednesday, November 4, 2020 10:31 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: JES2 Policies
>
> [CAUTION: This Email is from outside the Organization. Unless you trust the 
> sender, Don’t click links or open attachments as it may be a Phishing email, 
> which can steal your Information and compromise your Computer.]
>
> Radoslaw,
>
> I think what the OP is really saying is that certain accounts should be 
> restricted from certain jobclasses i.e. DEV cant use PROD jobclasses. So, if 
> they code a CLASS=X, but the account info says that they dont have access to 
> CLASS=X, then dump the job.
>
> OP: This has been around a long time, and is very mature...
>
> Joe
>
> On Wed, Nov 4, 2020 at 8:20 AM R.S. r.skoru...@bremultibank.com.pl wrote:
>
> > W dniu 04.11.2020 o 13:10, Gadi Ben-Avi pisze:
> >
> > > Hi,
> > > I've started looking into JES2 Policies.
> > > The current goal is to change a job's class or service class
> > > depending
> > > on certain values in the accounting information.
> > >
> > > > From reading the manual, it seems that this is possible.
> > >
> > > Has anyone done something like this?
> > > Is there a way to debug these policies?
> > > Is this feature mature enough to use?
> >
> > I dare to disagree ...with your goal. More precisely I disagree with
> > your presentation of the goal.
> > Does it really have to depend on account information? Why?
> > That means user has to code something in the jobcard, in the first
> > positional. So he may code CLASS= keyword as well, can't he?
> > Maybe your 

Re: How best to copy all UNIX files one z/OS to another

2020-10-29 Thread kekronbekron
True, don't know what I was thinking :)
Shouldn't have started w/ pax.
Wanted to say, unmount, DFDSS, etc.

Anyway, if there are easier ways..

- KB

‐‐‐ Original Message ‐‐‐
On Thursday, October 29, 2020 7:21 PM, Paul Gilmartin 
<000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Wed, 28 Oct 2020 18:49:46 +, Michael Brennan wrote:
>
> > After the pax, unmount your new ZFS/HFS file. DFDSS dump it, terse the dump 
> > then FTP the tersed file. At the receiving site, unterse and restore.
>
> That seems to be an exercise in seeing how many needless utilities you can
> exploit. Just transfer the pax archive.
>
> And the OP says bandwidth is not a constraint; no need to compress.
> Even so, pax has a "-z" option.
>
> -- gil
>
> 
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How best to copy all UNIX files one z/OS to another

2020-10-28 Thread kekronbekron
Wondering why no one has suggested the all new USS file/directory dumping 
capability in DFDSS.
I would also run ls -alf in a batch job against all the 'old' mount points to 
get a listing of owners & permissions.
Batch because the output will probably be huge.

See if Co:Z SFTP can help in any way w.r.t managing the transfer process.

- KB

‐‐‐ Original Message ‐‐‐
On Thursday, October 29, 2020 3:10 AM, Michael Brennan 
 wrote:

> After you get your unix files to the target system,
> If you need to change ownership of all the directories the following will 
> come in handy:
>
> //JS10 EXEC PGM=IKJEFT01
> //SYSTSPRT DD SYSOUT=*
> //SYSTSIN DD *
> BPXBATCH SH chown -R USERID:GROUPID /To_Directory/
>
> Where USERID is the RACF/ACF2/TSS id that you want to be the owner and
> Where GROUPID is the Group you want to be the owner.
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SMF to capture user login history

2020-10-25 Thread kekronbekron
In SDSF, &10 or  does the job

- KB

‐‐‐ Original Message ‐‐‐
On Monday, October 26, 2020 12:17 AM, Tom Brennan  
wrote:

> Reminds me of a co-worker who no matter what time day or night I would
> happen to see his online Outlook status, his id was marked as online and
> busy. Of course he had some kind of macro or hook running on his PC.
>
> On 10/24/2020 11:10 PM, kekronbekron wrote:
>
> > I hope no one encourages this kind of snooping on the list.
> > Stinks of an attempt to police working hours.
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Sunday, October 25, 2020 11:37 AM, Jake Anderson 
> > justmainfra...@gmail.com wrote:
> >
> > > Hello
> > > Cross posted.
> > > We have a SMF data for some years and I would like to fetch a user's logon
> > > history like when he was logged with all time intervals.
> > > Is there a sample JCL or process you are following without having to use
> > > any third party product to process.
> > > Could someone please share any sample if you have and willing to share ?
> > > Jake
> > >
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SMF to capture user login history

2020-10-25 Thread kekronbekron
Of course, I'm just raising a point of being mindful of what the purpose of 
this may be.
Heck, I wrote one myself a few years ago; good thing it wasn't used more than 
once (the initial test run lol).

- KB

‐‐‐ Original Message ‐‐‐
On Sunday, October 25, 2020 8:18 PM, Seymour J Metz  wrote:

> There are legitimate reasons for that type of report.
>
>
> ---
>
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
> kekronbekron [02dee3fcae33-dmarc-requ...@listserv.ua.edu]
> Sent: Sunday, October 25, 2020 2:10 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: SMF to capture user login history
>
> I hope no one encourages this kind of snooping on the list.
> Stinks of an attempt to police working hours.
>
> -   KB
>
> ‐‐‐ Original Message ‐‐‐
> On Sunday, October 25, 2020 11:37 AM, Jake Anderson 
> justmainfra...@gmail.com wrote:
>
>
> > Hello
> > Cross posted.
> > We have a SMF data for some years and I would like to fetch a user's logon
> > history like when he was logged with all time intervals.
> > Is there a sample JCL or process you are following without having to use
> > any third party product to process.
> > Could someone please share any sample if you have and willing to share ?
> > Jake
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> ---
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SMF to capture user login history

2020-10-25 Thread kekronbekron
I hope no one encourages this kind of snooping on the list.
Stinks of an attempt to police working hours.

- KB

‐‐‐ Original Message ‐‐‐
On Sunday, October 25, 2020 11:37 AM, Jake Anderson  
wrote:

> Hello
>
> Cross posted.
>
> We have a SMF data for some years and I would like to fetch a user's logon
> history like when he was logged with all time intervals.
>
> Is there a sample JCL or process you are following without having to use
> any third party product to process.
>
> Could someone please share any sample if you have and willing to share ?
>
> Jake
>
> 
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: getting XCFAS down

2020-10-17 Thread kekronbekron
Stop LLA & VLF if they're active.
SETPROG LNKLST UNALLOCATE
--work--
SETPROG LNKLST ALLOCATE
Start LLA & VLF

In general, this is a good reference - 
https://www.ibm.com/support/pages/using-dynamic-lnklst-facility-safely-and-properly

- KB

‐‐‐ Original Message ‐‐‐
On Saturday, October 17, 2020 3:35 PM, Bill Giannelli  
wrote:

> I have been having an issue getting DB2 ERLY code dataset (SDSNLINK) moved 
> in. The PARMLIB has been updated for me and I only need to rename my SDSNLINK 
> datasets to match PARMLIB. But I keep running into XCFAS "using" the dataset. 
> I am not able to "bring down" XCFAS. How do I tell what LPAR is accessing 
> thru XCFAS and how do I "bring down" XCFAS?
> thanks
> Bill
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: EXTERNAL EMAIL: Max possible velocity?

2020-10-14 Thread kekronbekron
Since you mentioned Adabas, I believe throwing some zIIP at it (& licensing 
this feature from Adabas's vendor) will help reduce CP usage.
In addition to WLM, I would also look at LPAR Design Tool to check out VH/M/L 
spread (tuning the weights and engines per LPAR).
Could be wrong... but I think WLM really matters only when things are getting 
tight on the LPAR/machine.

It's surprising to me that BC machines are being used for tiny capacities (15 
MSUs?).
Just curious... is it cost effective keeping this going?
Maybe it's not an option to migrate 'cause there's old code?

- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, October 14, 2020 1:25 PM, Martin Packer 
 wrote:

> Hello Shivang!
>
> Either LPAR busy or - my preferred metric and embedded in my regular
> graphing - how much CPU the service class is taking.
>
> Certainly the general point of considering what you’re achieving in
> velocity terms, why, and how it varies under increasing load is a good one.
>
> I would also plot each day a different marker / colour - as that technique
> has helped me trouble shoot. The famous case is one where a customer’s
> “outage” - on a bad day - was just data points continuing the normal line
> towards doom. :-) Plotting those “outage” points in a different colour
> helped make the point.
>
> But most of the time a bad day is a set of points that are well below the
> usual curve - and then you go to a companion graph that shows the
> components of the velocity calculation stacked up. So you get to “today our
> Db2 Engine Service Class velocity tanked due to Delay For zIIP”, for
> example.
>
> Somewhere I blogged/podcasted/screencasted/presented or something :-) about
> all this.
>
> Cheers, Martin
>
> Sent from my iPad
>
> > On 13 Oct 2020, at 23:43, shivang sharma shiva...@gmail.com wrote:
> > You can draw lpar busy vs velocity of the service class to see what it
> > achieves when the lpar gets busy and get the number.
> >
> > > On Wed, 14 Oct 2020, 3:06 am Jerry Whitteridge, <
> > > jerry.whitteri...@albertsons.com> wrote:
> > > Dave - I'm by no means a Capacity Planning guru but here's my 2 cents.
> > > Velocity is defined as a measure of protection against delay - it's not
>
> a
>
> > > hard and fast number. I'd first look at your service classes and find if
> > > any of them have a PI of less than 1. If they do they are over achieving
> > > their goals and you could drop the velocity on them to provide resources
>
> to
>
> > > the service classes who are struggling. Adjust the Velocities by 10
>
> rather
>
> > > than single digits. All the tuning of the high achieving (not High
> > > Importance or velocity) Classes will provide help to the under
>
> achievers.
>
> > > Jerry Whitteridge
> > > jerry.whitteri...@albertsons.com
> > > Manager Mainframe Systems & HP Non-Stop
> > > Albertsons Companies
> > > -Original Message-
> > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf
> > > Of Gibney, Dave
> > > Sent: Tuesday, October 13, 2020 2:28 PM
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > Subject: EXTERNAL EMAIL: Max possible velocity?
> > > It has been quite some time since I had to worry about my WLM policy.
> > > We've had ample capacity since 2007. Now, as We begin to wind down, we
>
> have
>
> > > reduced our contracted MSU capacity.
> > > We dropped from 15 to 12 on an 5 way z13S-N05. My WLM policy, last
> > > seriously adjusted in 2007 when we moved to a z9-L03 has velocities
>
> ranging
>
> > > from a high of 90 (Adabas, Imp 1) down to 5 (BATCH Imp 5)
> > > We are experiencing just a minor amount of performance pain. It strikes
>
> me
>
> > > that perhaps some of my higher velocity goals (90, 70, 60, 50) may be
> > > unattainable under the now reduced capacity.
> > > What is the high end for possible, single threaded (Adabas) velocity
>
> here?
>
> > > Or, where should I be reading in current manuals. I was better at this
>
> 15
>
> > > years ago.
> > > Dave Gibney
> > > Information Technology Services
> > > Washington State University
> > >
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > >
> > > Warning: All e-mail sent to this address will be received by the
> > > corporate e-mail system, and is subject to archival and review by
>
> someone
>
> > > other than the recipient. This e-mail may contain proprietary
>
> information
>
> > > and is intended only for the use of the intended recipient(s). If the
> > > reader of this message is not the intended recipient(s), you are
>
> notified
>
> > > that you have received this message in error and that any review,
> > > dissemination, distribution or copying of this message is strictly
> > > prohibited. If you have received this message in error, please notify
>
> the
>
> > > sender immediately.
> > >
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the 

Re: PCOMM

2020-10-09 Thread kekronbekron
You know what's better than CNTL-C and CNTL-V?
A checkbox that will automatically copy content to clipboard, when you draw a 
bounding box.
Not connected to a work machine right now to tell the actual option.
But it exists in PCOMM..

- KB

‐‐‐ Original Message ‐‐‐
On Friday, October 9, 2020 2:44 PM, R.S.  wrote:

> W dniu 09.10.2020 o 15:16, Steve Beaver pisze:
>
> > One of the MAJOR reasons I hate PCOMM it that I have trouble setting up
> > CUT/PASTE as
> > CNTL-C and CNTL-V.
> > Are there any IBMers that can tell me how KEYBOARD map these functions.
>
> The file is text and short:
>
> [Profile]
> ID=KMP
> Version=5
> Description=copy, paste
> [KEYBOARD]
> C-KEY47=[edit-cut]
> C-KEY48=[edit-copy]
> CS-KEY48=[edit-copyappend]
> C-KEY49=[edit-paste]
> CS-KEY49=[edit-paste-next]
>
> ---
>
> Radoslaw Skorupka
> Lodz, Poland
>
>
> 
>
> Jeśli nie jesteś adresatem tej wiadomości:
>
> -   powiadom nas o tym w mailu zwrotnym (dziękujemy!),
> -   usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub 
> zapisałeś na dysku).
> Wiadomość ta może zawierać chronione prawem informacje, które może 
> wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia 
> (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, narusza 
> prawo i może podlegać karze.
>
> mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
> Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
> Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
> NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
> 01.01.2020 r. wynosi 169.401.468 złotych.
>
> If you are not the addressee of this message:
>
> -   let us know by replying to this e-mail (thank you!),
> -   delete this message permanently (including all the copies which you have 
> printed out or saved).
> This message may contain legally protected information, which may be used 
> exclusively by the addressee.Please be reminded that anyone who disseminates 
> (copies, distributes) this message or takes any similar action, violates the 
> law and may be penalised.
>
> mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 
> 00-950 Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for 
> the Capital City of Warsaw, 12th Commercial Division of the National Court 
> Register, KRS 025237, NIP: 526-021-50-88. Fully paid-up share capital 
> amounting to PLN 169.401.468 as at 1 January 2020.
>
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SMPe ptfs download to USS

2020-09-17 Thread kekronbekron
I could be *completely* wrong .. so ... will wait for the list to correct me.
Think this could be because TCP/IP is built 'in' USS, and therefore the ShopZ 
job, which probably does HTTPS to IBM, needs to get its stuff into USS.

- KB

‐‐‐ Original Message ‐‐‐
On Thursday, September 17, 2020 6:11 PM, Ron Wells 
<02ebc63ff5ef-dmarc-requ...@listserv.ua.edu> wrote:

> Because of the trend to regress...
>
> -Original Message-
> From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> Bill Giannelli
>
> Sent: Thursday, September 17, 2020 5:43 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: SMPe ptfs download to USS
>
> ** EXTERNAL EMAIL - USE CAUTION **
>
> When I order software maintenance and download it, why does it need to go to 
> USS first?
> thanks
> Bill
>
> 
>
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> Email Disclaimer
>
> This E-mail contains confidential information belonging to the sender, which 
> may be legally privileged information. This information is intended only for 
> the use of the individual or entity addressed above. If you are not the 
> intended recipient, or an employee or agent responsible for delivering it to 
> the intended recipient, you are hereby notified that any disclosure, copying, 
> distribution, or the taking of any action in reliance on the contents of the 
> E-mail or attached files is strictly prohibited.
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Ransoming a mainframe disk farm

2020-09-08 Thread kekronbekron
Thank you Tim, would you be able to share any info about #2 here.. ?

- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, September 8, 2020 10:27 AM, Timothy Sipples  
wrote:

> Kekronbekron wrote:
>
> > Thinking about it ... it would be far simpler (than anti-ransomware
> > capability in storage, or lock-all behaviour) if there were a RACF
> > HealthChecker that looks for abnormal enc/dec activity. What 'normal'
> > is can be learnt from a year's worth of actual enc/dec-related SMF
> > data.
>
> There are tools with capabilities like the ones you're describing.
>
> I have a couple comments:
>
> 1.  There are some excellent ransomware (and similar non-ransomware
> disaster scenario) defenses available based on "out of band" controls and
> lockouts. IBM DS8000 SafeGuarded Copy is one such example, a really
> important one that's the foundation for some other valuable resiliency
> capabilities. However, I have worked with some organizations that still
> (also) want to maintain total physical and electronic (wired, wireless)
> separation for certain data. You can achieve total separation in a few
> ways, such as physical tape cartridges (usually WORM, preferably
> encrypted) ejected from tape libraries and vaulted "afar." Of course the
> costs include elongated Recovery Point Objectives (RPOs) and Recovery Time
> Objectives (RTOs), but in some cases the costs are tolerable or at least
> tolerated.
>
> You cannot really keep data completely, absolutely separate if you care
> about retrieving it. You can only maintain separation with at least one
> adjective added, such as "physically and electronically separate storage
> media," which is not the same as "storage media separated from all
> possible human contact." The Voyager space probes, I think it's fair to
> say, will "never" be vulnerable to human contact. They contain tape drives
> and tape media, and they are currently electronically connected via NASA's
> Deep Space Network.
>
> Anyway, it depends on what you're trying to accomplish, but lots of
> options are available, not necessarily mutually exclusive.
>
> 2.  If you need secure software build and deployment processes (yes, you
> do), I suggest contacting my employer. IBM has some super exciting new
> capabilities in this area, very cutting edge. They're grounded in
> mainframe technologies, whether in your data center, in the public cloud,
> or both. Mainframes often pioneer new capabilities that didn't exist in
> the entire industry. Here, too, that's what's happening.
>
> Ransomware is one clearcut demonstration that it doesn't particularly
> matter how terrific your data-focused defenses are if you have compromised
> applications, for it's applications -- program code -- that process(es)
> data. So you've got to approach security challenges holistically.
>
>
> Timothy Sipples
> I.T. Architect Executive
> Digital Asset & Other Industry Solutions
> IBM Z & LinuxONE
>
> E-Mail: sipp...@sg.ibm.com
>
> ---
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Ransoming a mainframe disk farm

2020-09-07 Thread kekronbekron
Thinking about it ... it would be far simpler (than anti-ransomware capability 
in storage, or lock-all behaviour) if there were a RACF HealthChecker that 
looks for abnormal enc/dec activity.
What 'normal' is can be learnt from a year's worth of actual enc/dec-related 
SMF data.

- KB

‐‐‐ Original Message ‐‐‐
On Monday, September 7, 2020 9:43 PM, kekronbekron 
<02dee3fcae33-dmarc-requ...@listserv.ua.edu> wrote:

> WSL doesn't have anything to do with cloud.
> It's just the running of Linux within Windows, using bits of Hyper-V 
> internally, I think.
>
> That said, Joe's point about securing this new vector is one to pay attention 
> to.
> And since z/OS is also working on improving/expanding z/OS NFS 
> implementation.. I'm sure IBM will make it as securable as possible, as 
> always.
>
> -   KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, September 7, 2020 8:56 PM, Steve Thompson ste...@copper.net 
> wrote:
>
>
> > So, does this mean that a cloud environment is more or less likely to be 
> > attacked than the same on premise environment?
> > Such an attack could cause a major disruption in operations and thinking.
> > Sent from my iPhone — small keyboarf, fat fungrs, stupd spell manglr. Expct 
> > mistaks
> >
> > > On Sep 7, 2020, at 11:20 AM, Joe Monk joemon...@gmail.com wrote:
> > > Let me tell you why it is not such a hypothetical problem...
> > > As we all know, Microsoft now allows under Windows for Linux, Windows
> > > access to Linux datastores. So, imagine I have a mainframe data store
> > > mounted as a Linux FS on a Windows box running Windows for Linux. Now, the
> > > windows box gets ransom'd ... what happens to the Linux FS mounted on the
> > > Windows box?
> > > In case you dont know about it:
> > > https://docs.microsoft.com/en-us/windows/wsl/install-win10
> > > Joe
> > >
> > > > On Mon, Sep 7, 2020 at 8:47 AM kekronbekron <
> > > > 02dee3fcae33-dmarc-requ...@listserv.ua.edu> wrote:
> > > > "I see no relationship to the ransomware problem,..."
> > > > The whole topic is a hypothetical discussion.. don't know what to say 
> > > > for
> > > > the relation not being understandable.
> > > > Just a thought for damage control..
> > > > Obviously, obvious security measures have still let this hypothetical
> > > > problem through (either bypassed or less-than-optimal security 
> > > > measures)...
> > > > so fiddling with user accesses at this point is irrelevant.
> > > > Whole world knows how to prevent.. but actually doing it is a whole
> > > > another matter of tools, processes, capabilities, and such.
> > > >
> > > > -   KB
> > > >
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Monday, September 7, 2020 7:08 PM, R.S. 
> > > > r.skoru...@bremultibank.com.pl
> > > > wrote:
> > > >
> > > > > W dniu 07.09.2020 o 14:57, kekronbekron pisze:
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Ransoming a mainframe disk farm

2020-09-07 Thread kekronbekron
WSL doesn't have anything to do with cloud.
It's just the running of Linux within Windows, using bits of Hyper-V 
internally, I think.

That said, Joe's point about securing this new vector is one to pay attention 
to.
And since z/OS is also working on improving/expanding z/OS NFS implementation.. 
I'm sure IBM will make it as securable as possible, as always.


- KB

‐‐‐ Original Message ‐‐‐
On Monday, September 7, 2020 8:56 PM, Steve Thompson  wrote:

> So, does this mean that a cloud environment is more or less likely to be 
> attacked than the same on premise environment?
>
> Such an attack could cause a major disruption in operations and thinking.
>
> Sent from my iPhone — small keyboarf, fat fungrs, stupd spell manglr. Expct 
> mistaks
>
> > On Sep 7, 2020, at 11:20 AM, Joe Monk joemon...@gmail.com wrote:
> > Let me tell you why it is not such a hypothetical problem...
> > As we all know, Microsoft now allows under Windows for Linux, Windows
> > access to Linux datastores. So, imagine I have a mainframe data store
> > mounted as a Linux FS on a Windows box running Windows for Linux. Now, the
> > windows box gets ransom'd ... what happens to the Linux FS mounted on the
> > Windows box?
> > In case you dont know about it:
> > https://docs.microsoft.com/en-us/windows/wsl/install-win10
> > Joe
> >
> > > On Mon, Sep 7, 2020 at 8:47 AM kekronbekron <
> > > 02dee3fcae33-dmarc-requ...@listserv.ua.edu> wrote:
> > > "I see no relationship to the ransomware problem,..."
> > > The whole topic is a hypothetical discussion.. don't know what to say for
> > > the relation not being understandable.
> > > Just a thought for damage control..
> > > Obviously, obvious security measures have still let this hypothetical
> > > problem through (either bypassed or less-than-optimal security 
> > > measures)...
> > > so fiddling with user accesses at this point is irrelevant.
> > > Whole world knows how to prevent.. but actually doing it is a whole
> > > another matter of tools, processes, capabilities, and such.
> > >
> > > -   KB
> > >
> > > ‐‐‐ Original Message ‐‐‐
> > > On Monday, September 7, 2020 7:08 PM, R.S. r.skoru...@bremultibank.com.pl
> > > wrote:
> > >
> > > > W dniu 07.09.2020 o 14:57, kekronbekron pisze:
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Ransoming a mainframe disk farm

2020-09-07 Thread kekronbekron
"I see no relationship to the ransomware problem,..."

The whole topic is a hypothetical discussion.. don't know what to say for the 
relation not being understandable.
Just a thought for damage control..

Obviously, obvious security measures have still let this hypothetical problem 
through (either bypassed or less-than-optimal security measures).. so fiddling 
with user accesses at this point is irrelevant.

Whole world knows how to prevent.. but actually doing it is a whole another 
matter of tools, processes, capabilities, and such.

- KB

‐‐‐ Original Message ‐‐‐
On Monday, September 7, 2020 7:08 PM, R.S.  
wrote:

> W dniu 07.09.2020 o 14:57, kekronbekron pisze:
>
> > Makes me wonder.. some network products have a 'total lockdown' mode that 
> > stops anything network. Like pulling the plug.
> > IBM can have a similar thing for z/OS TCPIP/SNA networks but I reckon it's 
> > more effective if a similar lockdown (ugh) feature exists for RACF instead.
> > Of course, this will mean a whole lot of things will now start failing 
> > (perhaps this feature can also write such lockdown-initiated violations 
> > into a special report), but it may be worth shuttering things down before 
> > things can get worse.
> > Alternatively, storage boxes need to get intelligent with their metadata.
> >
> > -   KB
>
> I see no relationship to the ransomware problem, however in z/OS you can
> "totally lockdown" any network interface you want. Including offline the
> device and chpid. And this is IMHO good for Hollywood movies, not as
> real protection - this "plug out feature" would work ...when? After the
> hacker started encryption, or just two minutes before? Who/what
> recognize suspected activity? What if the activity was phony, just to
> run "plug out feaure"?
>
> My advice:
>
> 1.  Only authorized users should have connectivity to the mainframe
> ...and any other resource. No more "any to any" company networks. Note:
> "authorized" in this point has nothing to do with a mainframe. Just
> Johny the Sysprog can connect to the host, but Jim the secretary cannot.
>
> 2.  Only authorized users can logon. User, password, maybe MFA. Obvious.
> 3.  Users are authorized to the resources they need, nothing more. Of
> course we do not talk about READ to SYS1.HELP, but it is good idea to
> not allow APF update to any TSO user. This is typical RACF
> responsibility. Lng story.
>
> --
> Radoslaw Skorupka
> Lodz, Poland
>
> ==
>
> Jeśli nie jesteś adresatem tej wiadomości:
>
>
> -   powiadom nas o tym w mailu zwrotnym (dziękujemy!),
> -   usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub 
> zapisałeś na dysku).
> Wiadomość ta może zawierać chronione prawem informacje, które może 
> wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia 
> (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, narusza 
> prawo i może podlegać karze.
>
> mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
> Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
> Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
> NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
> 01.01.2020 r. wynosi 169.401.468 złotych.
>
> If you are not the addressee of this message:
>
> -   let us know by replying to this e-mail (thank you!),
> -   delete this message permanently (including all the copies which you have 
> printed out or saved).
> This message may contain legally protected information, which may be used 
> exclusively by the addressee.Please be reminded that anyone who disseminates 
> (copies, distributes) this message or takes any similar action, violates the 
> law and may be penalised.
>
> mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 
> 00-950 Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for 
> the Capital City of Warsaw, 12th Commercial Division of the National Court 
> Register, KRS 025237, NIP: 526-021-50-88. Fully paid-up share capital 
> amounting to PLN 169.401.468 as at 1 January 2020.
>
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Ransoming a mainframe disk farm

2020-09-07 Thread kekronbekron
Makes me wonder.. some network products have a 'total lockdown' mode that stops 
*anything* network. Like pulling the plug.

IBM can have a similar thing for z/OS TCPIP/SNA networks but I reckon it's more 
effective if a similar lockdown (ugh) feature exists for RACF instead.
Of course, this will mean a whole lot of things will now start failing (perhaps 
this feature can also write such lockdown-initiated violations into a special 
report), but it may be worth shuttering things down before things can get worse.

Alternatively, storage boxes need to get intelligent with their metadata.


- KB

‐‐‐ Original Message ‐‐‐
On Monday, September 7, 2020 5:04 PM, R.S.  
wrote:

> My €0,02
> Ransomware on z/OS is very unlikely, but it is possible. We cannot say
> it is impossible.
> The possibility depends on some circumstances which affect the results
> and possible prevention. It will be disscuessed. below (a little bit).
>
> Will backup help? NO!
> Backup may be last resort, especially for operating system itself and
> batch data. Not for online processing. In this case that could mean
> outage and data loss. Imagine lost of half day transactions in a bank...
> It is disaster for many businesses.
> What about backup from tape and forward recovery from transaction log?
> Hey, do you have log? Why can we assume the log is safe when we consider
> tables are "ransomwared"? (encrypted by hacker - let me use this neologism)
> And what about tape data? There were many voices about virtual tapes -
> saying it's not the same as physical tape. Oh, yes - physical cart is
> sexy. You can see it, you can touch it and you can remove it from ATL
> and keep on you desk. Or even send it to the vault.
> First: who removes tape from ATL? And why? Nowadays it can be poor
> replacement for second ATL in remote location. Or third copy. Always
> backlevel a little.
> And how can you know the data on tape is OK and it is not ransomwared
> copy of ransomwared dataset? Can I smell it? NO.
> Hello - is it possible hacker ransomwared backups on the tape? Why not?
> We just assumed he is able to ransomware DASD data.
> Such cases did take a place in Windows world.
>
> Conclusion: the only effective way is to do not allow ransomware attack
> to happen. Yes, we have to prevent it. All other ideas are like good
> advices to a guy after his house was already robbed. Too late. You
> already lost a lot.
>
> Reminder: all methods like backup, remote copy, third datacenter, tapes
> in vault, etc. will NOT help for ANY PROBLEM. They will help for some
> problems only. We are never 100% safe. It can be 99,9% or 99,%, but
> the gap exists. What's in the gap? Example: Terrorist attack can destroy
> our datacenter. There is no reason to assume the terrorists want to
> attack us, but we cannot say it is impossible. But it is also possible
> the terrorists would attack all our datacenters. BTW: such attack is not
> only matter of wall thickness, sometimes it can be false pizza courier
> with gun and hostages.
>
> And regarding IPL in VTS environment: AFAIK it is quite possible to IPL
> from virtual tape volume. IMHO tape IPL as problem recovery seems to be
> obsolete, maybe except poor installations. It is much more convenient to
> have rescue LPAR with small z/OS image. It is much faster and more
> convenient. Bigger shops may have rescue system cloned to any DASD box
> in the installation, it can be IPLable from any CPC, including DR site,
> etc.
>
>
> 

Re: zSeries and using cloud for backups

2020-08-05 Thread kekronbekron
model9 got acquired by El Goog.

- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, August 5, 2020 9:05 PM, ITschak Mugzach  
wrote:

> Have a look at MODEL9. I know some clients of us that are using it to
> backup to the cloud.
>
> ITschak
>
> ITschak Mugzach
> |* IronSphere Platform* | *Information Security Continuous Monitoring
> for z/OS, x/Linux & IBM I **| z/VM comming son *
>
> On Wed, Aug 5, 2020 at 5:54 PM R.S. r.skoru...@bremultibank.com.pl wrote:
>
> > W dniu 05.08.2020 o 16:45, Edgington, Jerry pisze:
> >
> > > To all,
> > > I am being asked about connecting zSeries, both z/OS and z/VM, to a
> > > cloud provider, for a "3rd" copy of the zSeries data. I believe there are
> > > ways from z/OS using DFSMShsm to access, both read/write, to cloud data.
> > > And some type of interface, from the new DS8910. So, I am wondering, is
> > > this technically possible? What are the possible connection points? The
> > > features a paid features?
> > > This is not my choice to backup zSeries data to the cloud, but I am
> > > being asked. So, I would love to hear everyone's opinion.
> > > For background on equipment and software. Running on z15, with DS8910
> > > and TS7770T, on z/OS v2.3 and z/VM v7.1.
> >
> > It is possible.
> > It is paid feature of IBM VTS, Oracle (STK) VSM and maybe other vendors.
> > So, actually mainframe OS is aware of VTS connected to the host, not
> > about back-end, which can be a cloud.
> > AFAIK all cloud backup is encrypted by default.
> > --
> > Radoslaw Skorupka
> > Lodz, Poland
> > ==
> > Jeśli nie jesteś adresatem tej wiadomości:
> >
> > -   powiadom nas o tym w mailu zwrotnym (dziękujemy!),
> > -   usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub
> > zapisałeś na dysku).
> > Wiadomość ta może zawierać chronione prawem informacje, które może
> > wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia
> > (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania,
> > narusza prawo i może podlegać karze.
> >
> >
> > mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,
> > www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. Warszawy
> > XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, NIP:
> > 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na
> > 01.01.2020 r. wynosi 169.401.468 złotych.
> > If you are not the addressee of this message:
> >
> > -   let us know by replying to this e-mail (thank you!),
> > -   delete this message permanently (including all the copies which you have
> > printed out or saved).
> > This message may contain legally protected information, which may be 
> > used
> > exclusively by the addressee.Please be reminded that anyone who
> > disseminates (copies, distributes) this message or takes any similar
> > action, violates the law and may be penalised.
> >
> >
> > mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950
> > Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the
> > Capital City of Warsaw, 12th Commercial Division of the National Court
> > Register, KRS 025237, NIP: 526-021-50-88. Fully paid-up share capital
> > amounting to PLN 169.401.468 as at 1 January 2020.
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: cURL and security

2020-07-23 Thread kekronbekron
Oh ok ... guess I didn't realize that WET is being provided primarily for 
'backward compatibility'.
Thanks for the clarification on the other bits.

> Using cURL or libcurl is not inherently dangerous. Any code that goes
> into production should be peer reviewed. You can write bad code in any
> language using any tool.

Again ... you've over-generalized a very specific scenario I said folks should 
be wary of.
I didn't say curl or any other tool is dangerous, piping source-unknown scripts 
to bash is!

- KB

‐‐‐ Original Message ‐‐‐
On Friday, July 24, 2020 10:15 AM, David Crayford  wrote:

> On 2020-07-24 12:02 PM, kekronbekron wrote:
>
> > > I wouldn't. I would recommend using a sophisticated networking library
> > > like Java or whatever your favorite language is on the JVM.
> > > Can't figure out if you're kidding...
>
> No, I'm not kidding! IMO, unless you have a critical requirement to web
> enable legacy languages then I would avoid WET at all costs. A quick
> browse of the samples is enough to conclude that
> while it may work it is hideously complicated compared to similar
> function in modern languages. So, why not just use a better language? I
> almost died laughing when I saw how complicated it
> is to parse JSON in REXX using the WET.
>
> > > Who told you that? My employer offers a cURL port for z/OS and it's well
> > > maintained with support for production environment.
> > > Ok, Rocket's curl?
> > > What's the percentage of clients that want a separate product for 
> > > something that also comes with (or at least used to?) the OS (Ported 
> > > Tools).
>
> FYI, IBM sold ported tools to Rocket years ago. There is no cURL that
> comes with z/OS.
>
> > Yes, everything I'm saying is subjective...
> > Adoption would be much higher if Ported Tools' curl were actively developed.
>
> It is! And you can download it for free if you just want to write
> in-house tooling. If you want to use cURL in production then you will
> have to buy support.
>
> > Eh ... I didn't say curl-ing a script is dangerous and CWET isn't.
> > I meant piping any source-unknown script direct for execution is not a 
> > great idea.
>
> Using cURL or libcurl is not inherently dangerous. Any code that goes
> into production should be peer reviewed. You can write bad code in any
> language using any tool.
>
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Friday, July 24, 2020 8:53 AM, David Crayford dcrayf...@gmail.com wrote:
> >
> > > On 2020-07-24 11:12 AM, kekronbekron wrote:
> > >
> > > > Just mentioned ASM / COB CWET for options really.
> > > > They're a a lot more involved than the Python client (when that's 
> > > > available).
> > > > curl is ok as a user, but when you want to productionize something, I 
> > > > would think the recommendation would be to use CWET.
> > > > I wouldn't. I would recommend using a sophisticated networking library
> > > > like Java or whatever your favorite language is on the JVM.
> > >
> > > > Not saying curl is a bad tool, it is handy & does what it does.
> > > > Ease of use does not mean it's the solution of choice in many 
> > > > controlled environments.
> > > > By loved I mean does it get upgrades/improvements?
> > > > Who told you that? My employer offers a cURL port for z/OS and it's well
> > > > maintained with support for production environment.
> > >
> > > > I don't know I'm just asking..
> > > > curl-ing a shell script directly is bit ... dangerous.
> > > > That's purely subjective. I don't see why cURL would be any more
> > > > dangerous than writing a Python script or using CWET.
> > >
> > > Lots of people are using Git for DevOps on z/OS and that uses cURL for
> > > ssh and https transport.
> > >
> > > > Not in this case as the script is available to inspect.
> > > > --
> > >
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: cURL and security

2020-07-23 Thread kekronbekron
Ah sorry.. just realising that ID certs (& client auth) require private key lol.

I'm sure others will correct me if I'm wrong... afraid you've to use GENCERT, 
GENREQ and then get it signed by your off-mainframe PKI.
That way, private keys for ID certificates exist on mainframe... which isn't an 
unusual way of doing things.

Alternatively, I think PCOMM, HoD, etc. will have some support for working with 
external keystore for client auth.
https://www.ibm.com/support/knowledgecenter/SSEQ5Y_14.0.0/com.ibm.pcomm.doc/books/html/admin_guide11.htm#cfgssl
Check point #12 here.
"Send Personal Certificate Trusted by Server"
or
"Select or Prompt for Personal Client Certificate" may work.

For option 2,
PCOMM lists Personal certificates from the following location:
[certmgr.msc] ->[Current User->Personal -> Certificates]



- KB

‐‐‐ Original Message ‐‐‐
On Friday, July 24, 2020 8:49 AM, Luke Wilby  wrote:

> cURL requires the client's private key for mutual auth.
>
> I'm not familiar with CWET but I imagine the security considerations are the 
> same.
>
> My clients need to authenticate to the server. The server then needs to 
> perform authorization checks.
>
> It's the authentication part that we need to sort out.
>
> Our company's internal certificate management is done on Windows. Our Windows 
> clients have personal certificates, installed by our Windows team. They don't 
> have access to the private keys.
>
> Our z/OS clients don't have certificates and even if they did, they would 
> come from the Windows team and our clients wouldn't have access to the 
> private keys to issue the cURL call.
>
> > Just mentioned ASM / COB CWET for options really.
> > They're a a lot more involved than the Python client (when that's 
> > available).
> > curl is ok as a user, but when you want to productionize something, I would
> > think the recommendation would be to use CWET.
> > Not saying curl is a bad tool, it is handy & does what it does.
> > Ease of use does not mean it's the solution of choice in many controlled
> > environments.
> > By loved I mean does it get upgrades/improvements?
> > I don't know I'm just asking..
> > curl-ing a shell script directly is bit ... dangerous.
> > Not in this case as the script is available to inspect.
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Friday, July 24, 2020 7:59 AM, David Crayford dcrayf...@gmail.com
> > wrote:
> >
> > > On 2020-07-23 2:17 PM, kekronbekron wrote:
> > >
> > > > It would be best to consider switching to the z/OS Client Web
> > > > Enablement Toolkit.
> > >
> > > > There are sample programs for REXX / ASM / COB .. and I'm positive
> > > > there'll be a Python client pretty soon (IBM Open Enterprise Python for
> > > > z/OS).
> > >
> > > To me the idea of writing a web client in assembler is preposterous.
> > > COBOL is almost as bad and I would opt to use bpxwunix() with curl
> > > over the Web Enabelment Toolkit any day.
> > > I can create a Jira ticket with a couple of lines of curl. I would
> > > suggest writing a REXX script using the WET would be considerably more
> > > effort.
> > >
> > > > Don't think cURL is loved that much on Z.
> > >
> > > Are you speaking from experience? Not loved by who? Anybody who
> > > knows
> > > how to use z/OS UNIX shells knows how to use curl. I used curl only
> > > yesterday to install a shell utility from github with a simple one-liner.
> > > sh -c "$(curl -fsSL
> > > https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
> > >
> > > > Hmm .. unless client auth is required at the cURL target, you don't need
> > > > to worry about client certs, right?
> > >
> > > > Just plop on the target server's CA cert (interim & root CA) public 
> > > > keys in a
> > > > user keyring, and point CWET to the user keyring.
> > >
> > > > Server auth will work just fine.
> > > >
> > > > -   KB
> > > >
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Thursday, July 23, 2020 10:20 AM, Filip Palian s3...@pjwstk.edu.pl
> > > > wrote:
> > >
> > > > > Hey,
> > > > > You can read login credentials from within a script at run time
> > > > > from a separate file containing password. This file should have an
> > > > > adequate permissions and ownership set of course.
> > > > > Alternatively, if you c

Re: cURL and security

2020-07-23 Thread kekronbekron
> I wouldn't. I would recommend using a sophisticated networking library
> like Java or whatever your favorite language is on the JVM.

Can't figure out if you're kidding...

> Who told you that? My employer offers a cURL port for z/OS and it's well
> maintained with support for production environment.

Ok, Rocket's curl?
What's the percentage of clients that want a separate product for something 
that also comes with (or at least used to?) the OS (Ported Tools).
Yes, everything I'm saying is subjective...
Adoption would be much higher if Ported Tools' curl were actively developed.

Eh ... I didn't say curl-ing a script is dangerous and CWET isn't.
I meant piping any source-unknown script direct for execution is not a great 
idea.

- KB

‐‐‐ Original Message ‐‐‐
On Friday, July 24, 2020 8:53 AM, David Crayford  wrote:

> On 2020-07-24 11:12 AM, kekronbekron wrote:
>
> > Just mentioned ASM / COB CWET for options really.
> > They're a a lot more involved than the Python client (when that's 
> > available).
> > curl is ok as a user, but when you want to productionize something, I would 
> > think the recommendation would be to use CWET.
>
> I wouldn't. I would recommend using a sophisticated networking library
> like Java or whatever your favorite language is on the JVM.
>
> > Not saying curl is a bad tool, it is handy & does what it does.
> > Ease of use does not mean it's the solution of choice in many controlled 
> > environments.
> > By loved I mean does it get upgrades/improvements?
>
> Who told you that? My employer offers a cURL port for z/OS and it's well
> maintained with support for production environment.
>
> > I don't know I'm just asking..
> > curl-ing a shell script directly is bit ... dangerous.
>
> That's purely subjective. I don't see why cURL would be any more
> dangerous than writing a Python script or using CWET.
>
> Lots of people are using Git for DevOps on z/OS and that uses cURL for
> ssh and https transport.
>
> > Not in this case as the script is available to inspect.
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: cURL and security

2020-07-23 Thread kekronbekron
Just mentioned ASM / COB CWET for options really.
They're a a lot more involved than the Python client (when that's available).

curl is ok as a user, but when you want to productionize something, I would 
think the recommendation would be to use CWET.

Not saying curl is a bad tool, it is handy & does what it does.
Ease of use does not mean it's the solution of choice in many controlled 
environments.
By loved I mean does it get upgrades/improvements?
I don't know I'm just asking..

curl-ing a shell script directly is bit ... dangerous.
Not in this case as the script is available to inspect.

 - KB

‐‐‐ Original Message ‐‐‐
On Friday, July 24, 2020 7:59 AM, David Crayford  wrote:

> On 2020-07-23 2:17 PM, kekronbekron wrote:
>
> > It would be best to consider switching to the z/OS Client Web Enablement 
> > Toolkit.
> > There are sample programs for REXX / ASM / COB .. and I'm positive there'll 
> > be a Python client pretty soon (IBM Open Enterprise Python for z/OS).
>
> To me the idea of writing a web client in assembler is preposterous.
> COBOL is almost as bad and I would opt to use bpxwunix() with curl over
> the Web Enabelment Toolkit any day.
> I can create a Jira ticket with a couple of lines of curl. I would
> suggest writing a REXX script using the WET would be considerably more
> effort.
>
> > Don't think cURL is loved that much on Z.
>
> Are you speaking from experience? Not loved by who? Anybody who knows
> how to use z/OS UNIX shells knows how to use curl. I used curl only
> yesterday to install a shell utility from github with a simple one-liner.
>
> sh -c "$(curl -fsSL
> https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
>
> > Hmm .. unless client auth is required at the cURL target, you don't need to 
> > worry about client certs, right?
> > Just plop on the target server's CA cert (interim & root CA) public keys in 
> > a user keyring, and point CWET to the user keyring.
> > Server auth will work just fine.
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Thursday, July 23, 2020 10:20 AM, Filip Palian s3...@pjwstk.edu.pl wrote:
> >
> > > Hey,
> > > You can read login credentials from within a script at run time from a
> > > separate file containing password. This file should have an adequate
> > > permissions and ownership set of course.
> > > Alternatively, if you control the target, perhaps you can whitelist your
> > > curl/client.
> > > I hope that helps.
> > > Cheers,
> > > F
> > > W dniu czwartek, 23 lipca 2020 Luke akal...@hotmail.com napisał(a):
> > >
> > > > Hi All
> > > > I'm wondering if anyone is using cURL on z/OS in a production setting?
> > > > I'm interested how to utilise cURL when the target URL requires
> > > > authentication.
> > > > We can't use Basic Auth because we are not able to store usernames and
> > > > password in scripts or batch jobs.
> > > > We can't easily use certificates because our users on z/OS do not have
> > > > certificates and our Windows based corporate certificate management 
> > > > doesn't
> > > > allow users access to the private keys of their Windows certificates.
> > > > Anyone else using cURL for DevOps on z/OS and how are you securing it?
> > > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > > > --
> > >
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: cURL and security

2020-07-23 Thread kekronbekron
Hmm ... for client auth, isn't it just the public key of the client that has to 
be sent to the server?
And the server checks that against the client cert's CAs?
In which case, you only need a copy of the client pub key from Windows, and add 
it to a user keyring ... not the private key?

- KB

‐‐‐ Original Message ‐‐‐
On Friday, July 24, 2020 4:31 AM, Luke Wilby  wrote:

> I'm not sure use CWET will make any difference.
>
> The cURL targets require client authentication.
>
> The cURL targets live on z/OS (z/OS Connect, zOSMF, DB2, etc)
>
> The clients may be TSO users, batch jobs, Windows, Mac or Linux clients. The 
> batch jobs may run under userids that do not have passwords.
>
> We cannot store passwords anywhere. No scripts, no files.
>
> Our z/OS users generally don't have certificates or keyrings. Our servers do 
> (DB2, z/OS Connect, zOSMF, etc).
>
> Thanks
> Luke
>
> > It would be best to consider switching to the z/OS Client Web Enablement
> > Toolkit.
> > There are sample programs for REXX / ASM / COB .. and I'm positive there'll
> > be a Python client pretty soon (IBM Open Enterprise Python for z/OS).
> > Don't think cURL is loved that much on Z.
> > Hmm .. unless client auth is required at the cURL target, you don't need to
> > worry about client certs, right?
> > Just plop on the target server's CA cert (interim & root CA) public keys in 
> > a
> > user keyring, and point CWET to the user keyring.
> > Server auth will work just fine.
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Thursday, July 23, 2020 10:20 AM, Filip Palian s3...@pjwstk.edu.pl
> > wrote:
> >
> > > Hey,
> > > You can read login credentials from within a script at run time from a
> > > separate file containing password. This file should have an adequate
> > > permissions and ownership set of course.
> > > Alternatively, if you control the target, perhaps you can whitelist
> > > your curl/client.
> > > I hope that helps.
> > > Cheers,
> > > F
> > > W dniu czwartek, 23 lipca 2020 Luke akal...@hotmail.com napisał(a):
> > >
> > > > Hi All
> > > > I'm wondering if anyone is using cURL on z/OS in a production setting?
> > > > I'm interested how to utilise cURL when the target URL requires
> > > > authentication.
> > > > We can't use Basic Auth because we are not able to store usernames
> > > > and password in scripts or batch jobs.
> > > > We can't easily use certificates because our users on z/OS do not
> > > > have certificates and our Windows based corporate certificate
> > > > management doesn't allow users access to the private keys of their
> > > > Windows certificates.
> > >
> > > > Anyone else using cURL for DevOps on z/OS and how are you securing it?
> > > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > >
> > > --
> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions, send email 
> > to
> > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: [OT] OOBOL and English was Re: Still COBOL After All These Years?

2020-07-23 Thread kekronbekron
Quick poll for the list:

Can we all follow a 'rule' that says [OT] must be added in all off-topic 
discussions, so we can filter them out if required?

- KB

‐‐‐ Original Message ‐‐‐
On Thursday, July 23, 2020 9:38 AM, Seymour J Metz  wrote:

> That explains why the term used in the 19th Century was confusing; it has no 
> relevance to the issue of whether the term is limited to temperatures in the 
> range 0-100.
>
>
> 
>
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
> Wayne Bickerdike [wayn...@gmail.com]
> Sent: Wednesday, July 22, 2020 11:16 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: OOBOL and English was Re: Still COBOL After All These Years?
>
> WTF? It's true that both used (past tense) the freezing and boiling point
> of "water" at STP, but since when weren't they defined outside of 0-100?"
>
> Because:
>
> The centigrade scale was confusing because "centigrade" was also the
> Spanish and French term for a unit of angular measurement equal to 1/100 of
> a right angle. When the scale was extended from 0 to 100 degrees for
> temperature, centigrade was more properly hectograde. The public was
> largely unaffected by the confusion. Even though the degree Celsius was
> adopted by international committees in 1948, weather forecasts issued by
> the BBC continued to use degrees centigrade until February 1985.
>
> On Thu, Jul 23, 2020 at 9:27 AM Seymour J Metz sme...@gmu.edu wrote:
>
> > WTF? It's true that both used (past tense) the freezing and boiling point
> > of "water" at STP, but since when weren't they defined outside of 0-100?
> > Scare quotes because there is no standard for the percent of Deuterium in
> > the water.
> > --
> > Shmuel (Seymour J.) Metz
> > http://mason.gmu.edu/~smetz3
> >
> > From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf
> > of Wayne Bickerdike [wayn...@gmail.com]
> > Sent: Wednesday, July 22, 2020 5:58 PM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: OOBOL and English was Re: Still COBOL After All These Years?
> > Centigrade was derived from Celsius, however, both described only the
> > freezing point and boiling point of water at NTP.
> > My physics teachers said don't say >100 centigrade. It's outside the
> > bounds. So physicists use Kelvin.
> > On Thu, Jul 23, 2020 at 7:26 AM Seymour J Metz sme...@gmu.edu wrote:
> >
> > > Actually, i does, but is not as precise:
> >
> > https://secure-web.cisco.com/1ZfcTRtyL1fHmGItPj-arpyyhb5EkDhUxhc8INI8z9BhT28rjk7J8JV2395Uwd7sGnpC_G5-WdPEkYaPYMrlh1fItSRJOUCDucUqXK5IOPjKCoC4RfbpCc1ufuEYxlinUM0WiPti_hVwdTYo1ZDI5RpLaTn1egI8jCtSkqHfLm8llGulJJUBk1ep2_bu4jEVyJvZccjCMguX5TP6eLTE2CtooWHn9naE2zF2ERJedlrw2LP0dkgR-DFrpOz7By8t7fYf1tNYFfpdL_FWB-R7Y7xXjlhtiuV8Bg1V6FWgAIiTC_TksQft1PDlIRHGjVUBu0mhbtwK07UF_blEtDFQgdEGWmaB9pTGCU2vwq0y2i3IJqA1m35BuWPympC_mbki5G6k9m9wDvZ_KMV6wap-BOnIkG4CvMdpMRheDkVgxg1ju3hbqn_LZLkKGuLqKxj0z30xjGHfcHsEKDUm037cMww/https%3A%2F%2Fwww.thoughtco.com%2Fdifference-between-celsius-and-centigrade-609226
> >
> > > --
> > > Shmuel (Seymour J.) Metz
> > > http://mason.gmu.edu/~smetz3
> > >
> > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU on behalf
> > > of Joe Monk joemon...@gmail.com
> > > Sent: Wednesday, July 22, 2020 4:54 PM
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > Subject: Re: OOBOL and English was Re: Still COBOL After All These Years?
> > > Kelvin (absolute temperature) is converted from Celsius. Centigrade
> > > doesn't
> > > exist.
> > > On Wed, Jul 22, 2020, 13:46 Jackson, Rob rwjack...@firsthorizon.com
> > > wrote:
> > >
> > > > We have definitely devolved . . . like we always do on this forum.
> > > > It's
> > >
> > > > fun though, right?
> > > > I agree on Celsius. The name disturbs me too. Centigrade is more
> > > > pleasant for some reason. Reminds me of tardigrade. Now that is
> > > > something
> > > > we could all ponder and be better off.
> > > > First Horizon Bank
> > > > Mainframe Technical Support
> > > > -Original Message-
> > > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On
> > > > Behalf
> > >
> > > > Of Bob Bridges
> > > > Sent: Wednesday, July 22, 2020 2:29 PM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: OOBOL and English was Re: Still COBOL After All These
> > > > Years?
> > >
> > > > [External Email. Exercise caution when clicking links or opening
> > > > attachments.]
> > > > I just think the word "Celsius" is ugly; "centigrade" is comparatively
> > > > euphonious. A personal bias.
> > > >
> > > > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313
> > > > /* Do you know what constitutes a "hate crime"? Put your thinking caps
> > > > on. What tools do we need to determine whether a crime was motivated
> > > > by
> > >
> > > > hate or prejudice? 

Re: cURL and security

2020-07-23 Thread kekronbekron
It would be best to consider switching to the z/OS Client Web Enablement 
Toolkit.
There are sample programs for REXX / ASM / COB .. and I'm positive there'll be 
a Python client pretty soon (IBM Open Enterprise Python for z/OS).
Don't think cURL is loved that much on Z.

Hmm .. unless client auth is required at the cURL target, you don't need to 
worry about client certs, right?
Just plop on the target server's CA cert (interim & root CA) public keys in a 
user keyring, and point CWET to the user keyring.
Server auth will work just fine.

- KB

‐‐‐ Original Message ‐‐‐
On Thursday, July 23, 2020 10:20 AM, Filip Palian  wrote:

> Hey,
>
> You can read login credentials from within a script at run time from a
> separate file containing password. This file should have an adequate
> permissions and ownership set of course.
>
> Alternatively, if you control the target, perhaps you can whitelist your
> curl/client.
>
> I hope that helps.
>
> Cheers,
> F
>
> W dniu czwartek, 23 lipca 2020 Luke akal...@hotmail.com napisał(a):
>
> > Hi All
> > I'm wondering if anyone is using cURL on z/OS in a production setting?
> > I'm interested how to utilise cURL when the target URL requires
> > authentication.
> > We can't use Basic Auth because we are not able to store usernames and
> > password in scripts or batch jobs.
> > We can't easily use certificates because our users on z/OS do not have
> > certificates and our Windows based corporate certificate management doesn't
> > allow users access to the private keys of their Windows certificates.
> > Anyone else using cURL for DevOps on z/OS and how are you securing it?
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SFTP and z/OS Migration

2020-07-23 Thread kekronbekron
If you want to work with datasets (as opposed to files in USS), Co:Z SFTP is a 
no-brainer.
Believe me, it takes ages to OCOPY files from MVS to USS, especially if they're 
big files.

Alternatively, do you really need SFTP?
How about something like Luminex MDI SecureTransfer.
Their products' core principle is to use tape emulation to convert the TCP 
traffic to FICON, so you don't have TCP-related overhead.
But then once the data is on a Luminex back-end (needn't be their storage, 
could be any existing NAS etc.), you can then SFTP all you want without 
worrying about burning up CP time on the Z.


- KB

‐‐‐ Original Message ‐‐‐
On Thursday, July 23, 2020 3:00 AM, Roberto Halais  
wrote:

> "Political issues"
>
> Already ran into that.
> Thank you.
>
> On Wed, Jul 22, 2020 at 5:29 PM Seymour J Metz sme...@gmu.edu wrote:
>
> > Technically it's a no-brainer, but there may be political issues at some
> > sites.
> > --
> > Shmuel (Seymour J.) Metz
> > http://mason.gmu.edu/~smetz3
> >
> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU on behalf
> > of Lionel B Dyck lbd...@gmail.com
> > Sent: Wednesday, July 22, 2020 4:54 PM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: SFTP and z/OS Migration
> > Kirk's wisdom and the doc he references are OUTSTANDING. Co:Z SFTP is
> > something you absolutely need if you want to use SFTP to access z/OS
> > datasets.
> > Be aware you will have to learn a few new tricks with the Co:Z SFTP server
> > from the client side unless you are happy with only binary transfers. And
> > neither FileZilla or WinSCP provide an escape value to issue the necessary
> > commands to switch from binary to text.
> > Lionel B. Dyck <
> > Website:
> > https://secure-web.cisco.com/1su7YLWql3q2JuCMbZqQtVaZfGTPi-2EGzr-2AmEck-H5XxLTMuTJSOnguJ4AyTa34QEsDvYmW9aIH8zJLvc6VBWRTRda-EGyb3EK1kVLyZ7nMqmPWOtogV2pNSILxVz_JRyM3ngUeaeYMXlJkfFPZKtpNKvd4gFKLDXG4jCu-YsTZwYJKp8ehdX_jsl1_oyRckWxK0L0o7EJpctlKbx1MxUQ4UQPAx9UIHOWdRP7ZbkHdL9LF49SOFCGliQYJ9EAYGho8yV53tgjUfSt-zC0rPxjj7ZRTKuF_6ldUvREMO2Koq368kW8WD-UMhlayr4Xrek9eMg1GwXLnXF9LpT16VMO6pJoiBzyL1uHHi6hZq97lQz5E_V3T93mvRqJEJXnnN9GMH5yYL9J-yZAcSkW5Fpkj3WGb1Uc57BB88Z44wlC_ToH2QaVUl8p5hy4ucDv/https%3A%2F%2Fwww.lbdsoftware.com
> > "Worry more about your character than your reputation. Character is what
> > you are, reputation merely what others think you are." - John Wooden
> > -Original Message-
> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf
> > Of Kirk Wolf
> > Sent: Wednesday, July 22, 2020 3:43 PM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: SFTP and z/OS Migration
> > IBM z/OS OpenSSH is a base feature of z/OS since V2R2.
> > When you install a new version of z/OS you will get a new version.
> > There are often migration actions from IBM having to do with /etc/ssh
> > configuration settings. When moving releases you would at minimum want to
> > review any changes that you made from the IBM /samples and the new /samples
> > and merge those as appropriate.
> > BTW: Here's a quick start guide that we have on customizing IBM z/OS
> > OpenSSH:
> > https://secure-web.cisco.com/1kFuBUxMakNRAVJFVOewMH9LIIP2OTRg8SiVu_htNZD41RJZyNLVKsNTa6WEXeylcK5ZM1xGILiIhefULXta7xUZO9eRKq2GjKMg0pgAvGVH1qdk-StxkJSNB24ZHOnDublItI2dRxbaJ254YKnVJTU_VmE-PMaUftkzyJ6rWLuauYdSHsrPqQl-dwxGVdiMFNsSTRjVQgzNzjrgz3d4856xYoF81vYte0_nTV3vl-gpIjzpHXyYjcuRCdk5gZOGG7-PQZg0oTM2Z3vI1iJxE2KZi3kIz2fFx4sOqRzOT7_YszuYo-bWH9Iz3sdQ0n4DU9PaRRqNsWhr3jLFqVcxRx_fOsyfGGr8Am5A8IvVZh4mLtqr-J2XleXAq27Mo64WAJOPaU-33FfQqj9kBSZAwxoobYF5OZxeMLwIyHhw3MdvpKQKTsF1jztmSX6q1w8xU/https%3A%2F%2Fdovetail.com%2Fdocs%2Fpt-quick-inst%2Findex.html
> > Kirk Wolf
> > http://secure-web.cisco.com/1LetkAqmxb2mHTXoe2e35AwFZw4UYoiIeNOVgzH1Qms1MrKHD86XVzieGSUFJhCv8GbwqPhbow7NeP6IFvYjdUaYvXCjG1h6SrOBbM8Z0aY8BiznIGgTNB4MPWoeBlq9VHezSBTeajQgpsTv0DPS-EifgMxmQFHgIus0aNKsd5nTCtMZzPO8VXQvVZof7BN4s37wtsPa1FwHPZmQNrHC9UWaYP1qtW_icPDBb4QWZTKGEJSI8GAVlPMwcSsAIltqZQ1TmOecMdwTSTRMHrqTAnLc5aGT1gPLzOeLc0169dZ4oC3ssIozLNEJgKLuWvckDXYAFuLobcIX610AC0y6G-sC_6hLz315OjtuS0YSt7pnhtWMl3kxjYJlrYXapj4I9tcRYY4itCI6S1y8ogZ1et3UM9LLlvN2MBLb1nqyn11lSJBiuel8cV-T1Yk2HrnH2/http%3A%2F%2Fdovetail.com
> > On Wed, Jul 22, 2020 at 2:14 PM Roberto Halais roberto.hal...@gmail.com
> > wrote:
> >
> > > Listers:
> > > My company has decided to forego FTP and go the SFTP way.
> > > I have installed OPENSSH and have SFTP working.
> > > I installed using the IBM user's guide and everything installed in the
> > > default libraries.
> > > My concern is, when we migrate to a new z/OS release do I have to do
> > > the whole install again?
> > > Can I, from the beginning, install all the SSH libraries in a
> > > different filesystem so that when I migrate I can just mount the
> > > filesystem and execute.
> > > And later on install the new version Openssh.
> > > Don't know if I am clear in what I am asking.
> > > Just some tips on facilitating installing under a new release.
> > > Thank you.
> > >
> > > For IBM-MAIN subscribe / 

Re: TS7760 Cache utilization

2020-07-22 Thread kekronbekron
In case FTP is blocked... https://public.dhe.ibm.com/storage/tapetool

- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, July 22, 2020 5:42 PM, Roger Lowe  wrote:

> On Wed, 22 Jul 2020 11:49:20 +, Gadi Ben-Avi gad...@malam.com wrote:
>
> > Hi,
> > How can I find out, using a batch job, the TS7760 cache utilization?
>
> Gadi,
> Have a look at BVIR and VEHSTATS. These are part of the IBM TAPETOOLS package 
> and you should be able to download it from 
> ftp://ftp.software.ibm.com/storage/tapetool/
>
> Roger
>
> ---
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SMF records

2020-07-17 Thread kekronbekron
Hi Peter,

a) enabling as many subtypes in 119
b) check out near real-time monitoring for z/OS CS - 
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.4.0/com.ibm.zos.v2r4.halx001/inttcp.htm
c) doing whatever's required (sorry I don't know the specifics off the top of 
my head) to make RACF write as much as required/possible to type 80

So basically, network & RACF related.

- KB

‐‐‐ Original Message ‐‐‐
On Friday, July 17, 2020 8:53 PM, TenEyck, Peter 
 wrote:

> A general question; from a security and auditing perspective, is there a best 
> practices or recommendation of what SMF records and sub types should be 
> created?
>
> //* Peter Ten Eyck
> //* Senior Systems Programmer
> //* American National
> //
>
> American National is the brand name for American National Insurance Company, 
> headquartered in Galveston, Texas, and its subsidiaries. Each company has 
> financial responsibility only for its own products and services. American 
> National Insurance Company is not licensed in New York. In New York, business 
> is conducted by New York licensed subsidiaries. For more information, go to 
> www.americannational.com.
> Confidentiality: This transmission, including any attachments, is solely for 
> the use of the intended recipient(s). This transmission may contain 
> information that is confidential or otherwise protected from disclosure. The 
> use or disclosure of the information contained in this transmission, 
> including any attachments, for any purpose other than that intended by its 
> transmittal is strictly prohibited. Unauthorized interception of this email 
> is a violation of federal criminal law. If you are not an intended recipient 
> of this transmission, please immediately destroy all copies received and 
> notify the sender.
>
> 
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SMF record

2020-07-13 Thread kekronbekron
Run RACFRW against your daily SMF - 
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha800/samrep.htm
Believe it's the LIST keyword you need to use.
Yes, RACFRW is 'stabilized', but it's enough for a first look.

- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, July 14, 2020 3:57 AM, TenEyck, Peter 
 wrote:

> What SMF record and report/tool could I use to determine the point of origin 
> for this attempted logon?
>
> M 008 ABCD 20180 07:40:36.85 JOB03275 0090 ICH408I USER(RACFID ) 
> GROUP( ) NAME(??? ) 395
> E 395 0090 LOGON/JOB INITIATION - USER AT TERMINAL NOT RACF-DEFINED
>
> //* Peter Ten Eyck
> //* Senior Systems Programmer
> //* American National
> //
>
> American National is the brand name for American National Insurance Company, 
> headquartered in Galveston, Texas, and its subsidiaries. Each company has 
> financial responsibility only for its own products and services. American 
> National Insurance Company is not licensed in New York. In New York, business 
> is conducted by New York licensed subsidiaries. For more information, go to 
> www.americannational.com.
> Confidentiality: This transmission, including any attachments, is solely for 
> the use of the intended recipient(s). This transmission may contain 
> information that is confidential or otherwise protected from disclosure. The 
> use or disclosure of the information contained in this transmission, 
> including any attachments, for any purpose other than that intended by its 
> transmittal is strictly prohibited. Unauthorized interception of this email 
> is a violation of federal criminal law. If you are not an intended recipient 
> of this transmission, please immediately destroy all copies received and 
> notify the sender.
>
> 
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Concatenating lines

2020-07-13 Thread kekronbekron
Gil,

Longest line ... perhaps 3x71 or 4x71 + .

If only it were that easy... the records split at 72 (+).
No way to get the records produced without continuation.

- KB

‐‐‐ Original Message ‐‐‐
On Monday, July 13, 2020 8:55 PM, Paul Gilmartin 
<000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Mon, 13 Jul 2020 14:40:21 +, Seymour J Metz wrote:
>
> > Yes, but you will still need to insert the blank line as a terminator. If 
> > there are leading blanks then you may need manual correction with, e.g., 
> > TJ. If I had to do it often then I'd write an EDIT macro and be done with 
> > it.
>
> Is this better, or even simpler, than the Rexx script that Lionel et al. 
> proposed?
>
> And, what's the longest line the OP expects? Could the OP just use long lines
> and eliminate the concatenation complexity?
>
> -- gil
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Concatenating lines

2020-07-11 Thread kekronbekron
Hi again,

Specifics I didn't actually expect one would see if I had 72 characters in 
an example.
The point is - in col 72, if the line contiunes, there's a +
If there's a continuation, + is the last thing to be found, in col 72.


- KB

‐‐‐ Original Message ‐‐‐
On Sunday, July 12, 2020 9:04 AM, Seymour J Metz  wrote:

> That doesn't have anything in column 72. Did you actually mean a trailing 
> plus in any column? What about a plus followed by spaces?
>
>
> -
>
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
> kekronbekron [02dee3fcae33-dmarc-requ...@listserv.ua.edu]
> Sent: Saturday, July 11, 2020 11:24 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Concatenating lines
>
> Hi Shmuel,
>
> It's not for any programming language.
> It's for key-value pairs such as this.
>
> Sample:
> object=blablablablablablablablablablablablablablablabla+
> blablablabla
> objec2=small
> objec3=blablablablablablablablablablablablablablablabla+
> blablablablablablablablablablablablablablablablablablab+
> blablablablablablablablablabla
>
> -   KB
>
> ‐‐‐ Original Message ‐‐‐
> On Sunday, July 12, 2020 5:13 AM, Seymour J Metz sme...@gmu.edu wrote:
>
>
> > You didn't simplify it; you changed the behavior. You're checking for 
> > non-blank while Lionel was checking for plus. Column 72 suggests assembler, 
> > but the concatenation rules are more complicated than what the OP wrote. I 
> > have no idea what the OP wanted, but neither version is correct for 
> > assembler, CLIST or REXX.
> >
> > Shmuel (Seymour J.) Metz
> > http://mason.gmu.edu/~smetz3
> > From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
> > Paul Gilmartin [000433f07816-dmarc-requ...@listserv.ua.edu]
> > Sent: Saturday, July 11, 2020 11:52 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: Concatenating lines
> > On Sat, 11 Jul 2020 08:27:54 -0500, Lionel B Dyck wrote:
> >
> > > This is a very quick and somewhat dirty example:
> > > /* rexx */
> > > 'alloc f(in) ds(lionel.doc(concinp)) shr reuse'
> > > 'execio * diskr in (finis stem in.'
> > > 'free f(in)'
> > > do i = 1 to in.0
> > > data = ''
> > > if substr(in.i,72,1) /= '+'
> > > then data = in.i
> > > else do while substr(in.i,72,1) = '+'
> > > data = data''substr(in.i,1,71)
> > > i = i + 1
> > > data = data''substr(in.i,1,71)
> > > i = i + 1
> > > if substr(in.i,72,1) /= '+' then i = i - 1
> > > end
> > > say data
> > > end
> > > Now have fun with this and I'm sure you can improve upon it for your 
> > > purposes - a generalized input prompt or allocation and same for output.
> >
> > /* Not making a non-continued line a special case,
> > I'd simplify the loop to: /
> > signal on novalue / Always! */data = ''
> > do i = 1 to in.0
> > parse value in.i with l 72 c 73 .
> > data = data''l
> > if c = ' ' then do
> > say data
> > data = ''
> > end
> > end i
> > -- gil
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> ---
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Concatenating lines

2020-07-11 Thread kekronbekron
Hi Shmuel,

It's not for any programming language.
It's for key-value pairs such as this.

Sample:
object=blablablablablablablablablablablablablablablabla+
blablablabla
objec2=small
objec3=blablablablablablablablablablablablablablablabla+
blablablablablablablablablablablablablablablablablablab+
blablablablablablablablablabla


- KB

‐‐‐ Original Message ‐‐‐
On Sunday, July 12, 2020 5:13 AM, Seymour J Metz  wrote:

> You didn't simplify it; you changed the behavior. You're checking for 
> non-blank while Lionel was checking for plus. Column 72 suggests assembler, 
> but the concatenation rules are more complicated than what the OP wrote. I 
> have no idea what the OP wanted, but neither version is correct for 
> assembler, CLIST or REXX.
>
>
> 
>
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
> Paul Gilmartin [000433f07816-dmarc-requ...@listserv.ua.edu]
> Sent: Saturday, July 11, 2020 11:52 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Concatenating lines
>
> On Sat, 11 Jul 2020 08:27:54 -0500, Lionel B Dyck wrote:
>
> > This is a very quick and somewhat dirty example:
> > /* rexx */
> > 'alloc f(in) ds(lionel.doc(concinp)) shr reuse'
> > 'execio * diskr in (finis stem in.'
> > 'free f(in)'
> > do i = 1 to in.0
> > data = ''
> > if substr(in.i,72,1) /= '+'
> > then data = in.i
> > else do while substr(in.i,72,1) = '+'
> > data = data''substr(in.i,1,71)
> > i = i + 1
> > data = data''substr(in.i,1,71)
> > i = i + 1
> > if substr(in.i,72,1) /= '+' then i = i - 1
> > end
> > say data
> > end
> > Now have fun with this and I'm sure you can improve upon it for your 
> > purposes - a generalized input prompt or allocation and same for output.
>
> /* Not making a non-continued line a special case,
> I'd simplify the loop to: /
> signal on novalue / Always! */data = ''
> do i = 1 to in.0
> parse value in.i with l 72 c 73 .
> data = data''l
> if c = ' ' then do
> say data
> data = ''
> end
> end i
>
> -- gil
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> ---
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Concatenating lines

2020-07-11 Thread kekronbekron
Thanks Lionel, what about when there's a 3 or 7-part line (2 or 6 lines with 
continuation char respectively.).
Need a safe way to loop the 'else do' bit you've shown below.

- KB

‐‐‐ Original Message ‐‐‐
On Saturday, July 11, 2020 5:26 PM, Lionel B Dyck  wrote:

> I'm not aware of one but that would be a very trivial rexx program to do so.
>
> This should get you started:
>
> /* rexx */
> 'alloc f(in) ds(lionel.doc(concinp)) shr reuse'
> 'execio * diskr in (finis stem in.'
> 'free f(in)'
> do i = 1 to in.0
> if substr(in.i,72,1) /= '+'
> then say in.i
> else do
> data = substr(in.i,1,71)
> i = i + 1
> data = data''in.i
> say data
> end
> end
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation. Character is what you 
> are, reputation merely what others think you are." - John Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> kekronbekron
> Sent: Saturday, July 11, 2020 6:37 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Concatenating lines
>
> Hi,
>
> Is there any program in any of the CBT tapes, or perhaps on someone's GitHub 
> .. that makes concatenating lines easy?
> If a continuating character is found in column 72, append the next line to 
> current line, and so on.
>
> Thanks,
>
> -   KB
>
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> ---
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Concatenating lines

2020-07-11 Thread kekronbekron
Hi,

Is there any program in any of the CBT tapes, or perhaps on someone's GitHub .. 
that makes concatenating lines easy?
If a continuating character is found in column 72, append the next line to 
current line, and so on.

Thanks,
- KB

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Two Processors and One IODF

2020-07-10 Thread kekronbekron
To get the IODF across... what you'd need to do depends on who manages DR at 
the other side:
if it's you, setup an email job on your primary system to email you the IOCP 
when a new config is activated.
If it's IBM or some such, setup an email job on your primary system to email 
the vendor/partner the IOCP when a new config is activated.

- KB

‐‐‐ Original Message ‐‐‐
On Saturday, July 11, 2020 10:51 AM, kekronbekron 
<02dee3fcae33-dmarc-requ...@listserv.ua.edu> wrote:

> The trouble with using same CU and units at both sites is ... unnecessary 
> risk of varying/initializing a unit on the wrong side. Could be a major 
> whoopsie.
> Best to use a few ranges on this side, and a few ranges on the other, so it's 
> very easy to know what's where.
>
> -   KB
>
> ‐‐‐ Original Message ‐‐‐
> On Friday, July 10, 2020 11:49 PM, Michael Babcock bigironp...@gmail.com 
> wrote:
>
>
> > We are in the process of bringing DR back in-house and have a new
> > z15-T02 in our new facility (our current "home" machine is a z14-ZR1). 
> > I want to be able to manage both processors from a single IODF.  I'd
> > like to have the same CHPIDs, CUs, and Device addresses both at home and
> > in our DR machine.   I have the new processor defined in our current
> > IODF and have used the CHPID mapping tool to map the PCHIDs to CHPIDs.  
> > I have tested adding devices with the same address to both processors
> > and that seems to work (as long as I define the CUs to both processors
> > first.  I tested adding a range of 16 tape drives).
> > My questions are this:
> > 1.  Is this something we even want to do (same IODF, same device addresses)?
> > 2.  What's the best way to move the IODF at home to the DR machine?
> > 3.  Are there any gotchas we need to watch out for?
> > 4.  We have IBM DS8886s and are using Metro Global Mirror Multi-Target
> > w/Practice.  Any concerns here?
> > 5.  Am I crazy for even entertaining this idea?
> > 6.  Any alternatives I need to consider?
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Two Processors and One IODF

2020-07-10 Thread kekronbekron
The trouble with using same CU and units at both sites is ... unnecessary risk 
of varying/initializing a unit on the wrong side. Could be a major whoopsie.
Best to use a few ranges on this side, and a few ranges on the other, so it's 
very easy to know what's where.

- KB

‐‐‐ Original Message ‐‐‐
On Friday, July 10, 2020 11:49 PM, Michael Babcock  
wrote:

> We are in the process of bringing DR back in-house and have a new
> z15-T02 in our new facility (our current "home" machine is a z14-ZR1). 
> I want to be able to manage both processors from a single IODF.  I'd
> like to have the same CHPIDs, CUs, and Device addresses both at home and
> in our DR machine.   I have the new processor defined in our current
> IODF and have used the CHPID mapping tool to map the PCHIDs to CHPIDs.  
> I have tested adding devices with the same address to both processors
> and that seems to work (as long as I define the CUs to both processors
> first.  I tested adding a range of 16 tape drives).
>
> My questions are this:
>
> 1.  Is this something we even want to do (same IODF, same device addresses)?
>
> 2.  What's the best way to move the IODF at home to the DR machine?
>
> 3.  Are there any gotchas we need to watch out for?
>
> 4.  We have IBM DS8886s and are using Metro Global Mirror Multi-Target
> w/Practice.  Any concerns here?
>
> 5.  Am I crazy for even entertaining this idea?
>
> 6.  Any alternatives I need to consider?
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Configuring a CP online [EXTERNAL]

2020-07-09 Thread kekronbekron
I may be incorrect, but isn't the image profile to say this image is allowed to 
have these many CPs?
Or is it also supposed to bring it online ...
If not, adding it to COMMND00 should be enough

- KB

‐‐‐ Original Message ‐‐‐
On Thursday, July 9, 2020 12:32 AM, Mark Jacobs 
<0224d287a4b1-dmarc-requ...@listserv.ua.edu> wrote:

> Yes, the Image profile needs to be updated for number of CPs to be brought 
> online during IPL.
>
> Mark Jacobs
>
> Sent from ProtonMail, Swiss-based encrypted email.
>
> GPG Public Key - 
> https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com
>
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, July 8, 2020 2:46 PM, Feller, Paul 
> 02fc94e14c43-dmarc-requ...@listserv.ua.edu wrote:
>
> > If this CP is to be online from now on then update the lpar hardware 
> > profile to insure that it will be there after any deactivate/activate of 
> > the lpar. In the back of my mind I'm thinking during the IPL process the 
> > system looks at the profile to see what number of CPs should be online. I 
> > could be wrong, but I keep thinking I've run into the same situation and 
> > updating the profile fixed the issue.
> > Thanks..
> > Paul Feller
> > GTS Mainframe Technical Support
> > -Original Message-
> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> > Jesse 1 Robinson
> > Sent: Wednesday, July 08, 2020 1:33 PM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Configuring a CP online [EXTERNAL]
> > We added a logical CP a while back via CF online. After the next IPL, it 
> > was offline until we reissued the CF command. What do we have to do to make 
> > it 'permanent'?
> > .
> > .
> > J.O.Skip Robinson
> > Southern California Edison Company
> > Electric Dragon Team Paddler
> > SHARE MVS Program Co-Manager
> > 323-715-0595 Mobile
> > 626-543-6132 Office <= NEW
> > robinsj2@sce.commailto:robin...@sce.com
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send email 
> > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > Please note: This message originated outside your organization. Please use 
> > caution when opening links or attachments.
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Storage & tape question

2020-07-08 Thread kekronbekron
Dumb question - can integrity checks for backups be done with dump 
hashes/signatures, either in software or in the storage array (if the array 
maintains metadata about files/objects) ?
If there's an automated flow for this, many teams could sleep peacefully, 
knowing that backups are in good condition, without having to actually pick one 
and test the flow.

- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, July 8, 2020 8:56 PM, Glenn Wilcock  wrote:

> Hi All,
>
> I want to give another perspective on the need for backup copies. The focus 
> here is on physical loss of storage. With replication, and many clients 
> having 2, 3 and even 4 sites, the probability of needing a backup copy to 
> recover from a physical loss of data really has decreased. (Still there, none 
> the less). BUT, the probability for logical data corruption has INCREASED. 
> Accidental and malicious data corruption is instantly mirrored to all 
> replication copies, making them useless. Working in HSM, I regularly see 
> calls requesting assistance in recovering large amounts of data from backup 
> copies. We're all human and we all make mistakes. Some of those mistakes 
> result in data loss. Also, all products have programming defects and some of 
> those defects result in data loss. This speaks nothing to the current 
> environment where governments are mandating policies and procedures for 
> protecting against malicious data destruction. Your only hope for recovery is 
> a PiT backup prior to the data loss/corruption. Not all loss/corruption will 
> be found immediately. So, your ability to recover is a factor of how long it 
> takes you to determine that there was corruption/loss and how much your 
> willing to invest in keeping backup copies for at least that long.
>
> Glenn Wilcock
> DFSMS Chief Product Owner
>
> ---
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Storage & tape question

2020-07-07 Thread kekronbekron
Hi RS,

"Even the biggest, cheapest and really huge DASD will not protect you
form human and application (and other) errors. But backup will do it."

Don't understand why 'offline' backup is considered a difficulty when going 
all-DASD.
Keeping synchronous replication aside, PiT/snapshots are still a thing, right? 
ADRDSSU or FDR based dataset/volume dumps still work right?
It maybe 'dumb' to have backups also go to the same DASD, but secondary DASD 
for backups should work.
I've seen in a lot of the recent SHARE sessions that many sites use A to B sync 
and then A to A` & B to B` local/offline copies.
It all boils down to the resiliency of the primary storage w.r.t serviceability 
and being generally painless to operate/manage.

Also, if there's no easy way of changing the esoteric 'CART' or '3490/3590' to 
go to primary disk, perhaps something like -
DASD, tape emulator (Optica zVT/Luminex CGX/any other) -> DASD

Not considering the Luminex MVT-like options that come with storage capacity.
The whole idea is if there exists some magical DASD vendor that offers RAS & 
capacity for "cheap" vs operational cost of VTL-like solutions...

- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, July 7, 2020 2:05 PM, R.S.  wrote:

> Yes, it is possible to have VTS without real tapes on backend. Some
> vendors do offer only "tapeless tapes", with no option to connect real
> tape library.
> However from OS point of view there is difference between disk (DASD)
> and tape (offline storage).
> Price difference is also worth to consider, however I mean the logic.
> Even the biggest, cheapest and really huge DASD will not protect you
> form human and application (and other) errors. But backup will do it.
> That's why we do backups. We don't afraid of disk failure, because we
> have RAID, spare modules and possibly remote copy. However we do backups.
> If you insist on DASD, you may (theoretically) connect another DASD box
> dedicated for backups only. And even (logically) disconnect it between
> backup sessions. However it is IMHO worse version of VTS.
>
> Note: I do not discuss here things like price (initial, per terabyte),
> compression, thruput, scalability, RAID, etc.
>
> ---
>
> Radoslaw Skorupka
> Lodz, Poland
>
> W dniu 06.07.2020 o 16:46, kekronbekron pisze:
>
> > Hmm... do a lot of shops use actual cart based tapes ... TS77xx with TS4x00?
> > Don't know if EMC DLm has a cart back-end option.
> > If it's VTL with disk back-end, is that any different from having it all on 
> > DASD?
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Monday, July 6, 2020 4:25 PM, R.S. r.skoru...@bremultibank.com.pl wrote:
> >
> > > I forgot something obvious for me: NEVER USE TAPES FOR APPLICATION DATA.
> > > No jobs should write or read tapes.
> > > Nothing except backup and restore and (optionally) ML2. Managed by HSM
> > > or FDR. Some excepions for archive copies are worth to consider.
> > > Note: you may have 15 years old backup on new shining tape. Migration
> > > from older tape is no nightmare at all. It is simple.
> > >
> > > Radoslaw Skorupka
> > > Lodz, Poland
> > > W dniu 06.07.2020 o 12:49, R.S. pisze:
> > >
> > > > W dniu 05.07.2020 o 14:12, kekronbekron pisze:
> > > >
> > > > > Hello List,
> > > > > Just wondering ... assuming there's a primary storage product out
> > > > > there that can store how-many-ever hoo-haa-bytes, and is a good
> > > > > product in general, it should make sense to begin eliminating all
> > > > > tape (3490/3590) use right?
> > > > > First, ML1 & ML2 in HSM, then HSM itself, then rebuild jobs to write
> > > > > to disk, or do SMS/ACS updates to make it all disk reads/writes.
> &g

Re: Storage & tape question

2020-07-06 Thread kekronbekron
Thank you for the detailed response Glenn, IBM-MAIN is truly amazing.


> Migrate/Archive
> The three purposes of HSM migration are to 1) compress the data so that the 
> footprint is smaller, 2) move it to a lower cost media so that the TCO is 
> lower and 3) move the data to an offline media that doesn't consume online 
> UCBs. When considering bringing all of your data back online, you need to 
> consider the impact of all three. 1) Assuming 3:1 compaction, you'll need 3x 
> the online storage. With zEDC, that will vary on both what you can get on the 
> primary storage and the ML2 storage. 3) For larger shops, the number on 
> online UCBs is a factor. It's not a factor for smaller shops.

-
1) Compression - wouldn't it be enough to rely on z15 on-chip compression + the 
compression/dedupe done by the storage array itself? Sure, it may not be 3:1.. 
but worth evaluating?
If the array itself is doing C+D, then "rehydrating" the data isn't a problem I 
believe?

2) It's not just the storage cost though right.. (cost of a bunch of disk, S) 
vs (cost of tape emulation, physical carts, bandwidth, S, HSM's direct & 
indirect costs)
3) Ok, the UCB thing can be problematic for big shops, agreed. There's only so 
much you can do with 3390-54 (are bigger volumes coming anytime soon?).


> Another thing to consider with an all disk environment is your 'relief 
> valve'. It's simple to migrate data to tape as a means of ensuring that you 
> always have enough space on your primary storage for growth. If you only have 
> primary storage, what is your exception handling case when you have 
> unexpected growth and no migration tiers to which to move your inactive data? 
> How quickly can you bring more primary storage online?
Sorry, I know it sounds silly when I keep saying 'assume x/y/z is already 
catered to', but ... assuming primary storage provisioning is no longer a 
problem (apart from the UCBs mentioned above).


> Another option is DS8000 transparent cloud tiering. This enables you to 
> migrate inactive data to cloud object storage, with minimal cpu since the 
> DS8K is doing the data movement. If not a primary means of migrating data, it 
> is a very good option for a 'relief valve'.
Hmm... the two whole approaches (all-primary vs standard procedure) need to 
costed out and compared to be impartial to either case.


> Backup
> Regardless of the replication technique that you are using 
> (synchronous/asynchronous), you need point-in-time copies of your data for 
> logical corruption protection. If a data set is accidentally or maliciously 
> deleted, replication quickly deletes it from all copies. Also, if data 
> becomes logically corrupted, it is instantly corrupted in all copies. So, you 
> have to have a point-in-time backup technique for all of your data. You need 
> as many copies as you want recovery points. One copy doesn't give you much 
> security. Keeping n copies on disk can get pricey and consume alot of 
> storage. Also, you need to replicate the n PiT copies to all of your sites so 
> that you can do a logical recovery after a physical fail over. This makes the 
> cost add up even more quickly. TCT is another good option for this. You can 
> keep 1 or 2 copies on disk and then have HSM migrate/expire the older backup 
> copies to cloud object storage which is then available at all of your 
> recovery sites.
If we consider that the storage array has *proper* support for multi-site, 
snapshots/PiTs, etc. ... again not problematic.


Fully understand I may be dreaming about such a primary storage, it's good to 
know the technical constraints against it.

- KB

‐‐‐ Original Message ‐‐‐
On Monday, July 6, 2020 10:54 PM, Glenn Wilcock  wrote:

> A few thoughts:
>
> Migrate/Archive
> The three purposes of HSM migration are to 1) compress the data so that the 
> footprint is smaller, 2) move it to a lower cost media so that the TCO is 
> lower and 3) move the data to an offline media that doesn't consume online 
> UCBs. When considering bringing all of your data back online, you need to 
> consider the impact of all three. 1) Assuming 3:1 compaction, you'll need 3x 
> the online storage. With zEDC, that will vary on both what you can get on the 
> primary storage and the ML2 storage. 3) For larger shops, the number on 
> online UCBs is a factor. It's not a factor for smaller shops.
>
> Some clients have selected to go to an all HSM ML1 environment to still get 
> the advantage of zEDC compression on inactive data. (You may be utilizing 
> zEDC for primary storage, but that is only available for nonVSAM data). These 
> clients utilize the lowest cost disk and utilize the value of zEDC 
> compression to minimize the footprint.
>
> Another thing to consider with an all disk environment is your 'relief 
> valve'. It's simple to migrate data to tape as a means of ensuring that you 
> always have enough space on your primary storage for growth. If you only have 
> primary storage, what is your 

Re: Storage & tape question

2020-07-06 Thread kekronbekron
Hmm... do a lot of shops use actual cart based tapes ... TS77xx with TS4x00?
Don't know if EMC DLm has a cart back-end option.

If it's VTL with disk back-end, is that any different from having it all on 
DASD?


- KB

‐‐‐ Original Message ‐‐‐
On Monday, July 6, 2020 4:25 PM, R.S.  wrote:

> I forgot something obvious for me: NEVER USE TAPES FOR APPLICATION DATA.
> No jobs should write or read tapes.
> Nothing except backup and restore and (optionally) ML2. Managed by HSM
> or FDR. Some excepions for archive copies are worth to consider.
> Note: you may have 15 years old backup on new shining tape. Migration
> from older tape is no nightmare at all. It is simple.
>
> -
>
> Radoslaw Skorupka
> Lodz, Poland
>
> W dniu 06.07.2020 o 12:49, R.S. pisze:
>
> > W dniu 05.07.2020 o 14:12, kekronbekron pisze:
> >
> > > Hello List,
> > > Just wondering ... assuming there's a primary storage product out
> > > there that can store how-many-ever hoo-haa-bytes, and is a good
> > > product in general, it should make sense to begin eliminating all
> > > tape (3490/3590) use right?
> > > First, ML1 & ML2 in HSM, then HSM itself, then rebuild jobs to write
> > > to disk, or do SMS/ACS updates to make it all disk reads/writes.
> > > Looking at the current storage solutions out there, this is possible,
> > > right?
> > > What would be the drawbacks (assume that primary storage is super
> > > cost-efficient, so there's no need to archive anything).
> >
> > Few remarks:
> > Even the cheapest possible DASD will not replace backup and other
> > things (archive copy, etc.)
> > I did replace 3490E tapes with really cheap second hand DASD boxes, it
> > was approx. 20 years ago. Been There, done that. It wasn't very fine
> > solution, it was cheap and working. AFAIR HSM does not like DASD as
> > the output for some activities, can't remember details.
> > Someone wrote about tapes moved to DR shelter. That's very
> > old-fashioned. I would strongly prefer to have remote copy, that means
> > two dasd-boxes and connectivity between.
> > There are products for tape emulation on CKD disk. It is definitely no
> > cheap. It also consume MSU.
> > Tapes, even virtual tapes are OFFLINE media from MVS point of view.
> > Offline media are good for some ps! mistakes.
> > Last, but not least: you assumption is far from reality. DASD is still
> > more expensive than tape. The more capacity the difference is bigger.
> > Tape (real one) is cheap when talking about carts and very well
> > scalable. However tape realm with "first cart" is extremely expensive,
> > because drives are expensive, controllers are expensive and ATLs are
> > expensive.
> > The real decision depends strongly on your capacity, your predicted
> > growths, your needs and budget.
>
> ==
>
> Jeśli nie jesteś adresatem tej wiadomości:
>
> -   powiadom nas o tym w mailu zwrotnym (dziękujemy!),
> -   usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub 
> zapisałeś na dysku).
> Wiadomość ta może zawierać chronione prawem informacje, które może 
> wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia 
> (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, narusza 
> prawo i może podlegać karze.
>
> mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
> Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
> Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
> NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
> 01.01.2020 r. wynosi 169.401.468 złotych.
>
> If you are not the addressee of this message:
>
> -   let us know by replying to this e-mail (thank you!),
> -   delete this message permanently (including all the copies which you have 
> printed out or saved).
> This message may contain legally protected information, which may be used 
> exclusively by the addressee.Please be reminded that anyone who disseminates 
> (copies, distributes) this message or takes any similar action, violates the 
> law and may be penalised.
>
> mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 
> 00-950 Warszawa,www.mBank.pl

Re: Using SSH and SFTP from Windows to z/OS using authorized_keys ???

2020-07-05 Thread kekronbekron
Check this - 
https://makezine.com/2017/09/07/secure-your-raspberry-pi-against-attackers/
Believe you'll have to explicitly disable password-based auth.

- KB

‐‐‐ Original Message ‐‐‐
On Sunday, July 5, 2020 11:43 PM, Grant Taylor 
<023065957af1-dmarc-requ...@listserv.ua.edu> wrote:

> On 7/5/20 12:02 PM, Lionel B Dyck wrote:
>
> > I thought using SSH/SFTP would be able to skip the password by using
> > my ssh key?
>
> Check the permissions of the ~/.ssh folder and all parent folders.
> Group and other can't have write.
>
> Ask the admin to check the ssh server logs. It will almost always say
> why the key is ignored.
>
> There is also a chance that the SSH daemon has been configured to not
> allow keys.
>
> Try adding "-v" to the ssh command to increase verbosity. Make sure
> that your client is offering the key.
>
>
> -
>
> Grant. . . .
> unix || die
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Storage & tape question

2020-07-05 Thread kekronbekron
Ok, so assuming the primary storage takes care of DR backups, active/active, 
sync/async replication, physical risks [earth(quake), fire, wind, water, 
power], assures ease of standing up the DR environment after a whoopsie, isn't 
from a rent-seeking company that does planned obsolescence (i.e., there's a way 
to upgrade h/w without having to take it down).

Thank you, I don't mean to say everything is already accounted for, just trying 
to surface the kind of issues/things to consider.


‐‐‐ Original Message ‐‐‐
On Sunday, July 5, 2020 11:07 PM, retired mainframer  
wrote:

> You might want to consider whether transportability is an issue. How do you 
> get your backups to your disaster recovery site? The systems I worked on were 
> prohibited from connecting to public networks.
>
> You might also want to consider operational security. If your new storage 
> device is physically on line, it is subject to things like accidental data 
> deletion and damage from a power surge, fire, or EMP. A tape drive in a 
> secure vault could probably survive the next mass extinction.
>
> And after you resolve all the technical issues, somebody should still bring 
> up cost. It's not just acquisition cost per megabyte but things like 
> equipment footprint, power, air conditioning, maintenance. And don't forget 
> planned obsolescence. Mine was one of the last sites in the company 
> (country?) to use 9345s.
>
> > -Original Message-
> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On
> > Behalf Of kekronbekron
> > Sent: Sunday, July 05, 2020 5:13 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Storage & tape question
> > Hello List,
> > Just wondering ... assuming there's a primary storage product out there 
> > that can store
> > how-many-ever hoo-haa-bytes, and is a good product in general, it should 
> > make sense
> > to begin eliminating all tape (3490/3590) use right?
> > First, ML1 & ML2 in HSM, then HSM itself, then rebuild jobs to write to 
> > disk, or do
> > SMS/ACS updates to make it all disk reads/writes.
> > Looking at the current storage solutions out there, this is possible, right?
> > What would be the drawbacks (assume that primary storage is super 
> > cost-efficient, so
> > there's no need to archive anything).
> >
> > -   KB
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Storage & tape question

2020-07-05 Thread kekronbekron
Yup, those are the things I'm looking to identfy - what kinda things should one 
address before saying goodbye to tapes altogether (tapes/vtapes).

- KB

‐‐‐ Original Message ‐‐‐
On Sunday, July 5, 2020 8:33 PM, Seymour J Metz  wrote:

> If you have DASD that are as cost effective as tape, have off site mirroring 
> and have software to keep track of and retrieve old versions, then you don't 
> need tape. If you go that way, it's crucial to have all of your ducks in a 
> row before you start changing things. Take a close look at what you're using 
> your current backup software for and ensure that any replacement has the 
> necessary functionality.
>
>
> -
>
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
> kekronbekron [02dee3fcae33-dmarc-requ...@listserv.ua.edu]
> Sent: Sunday, July 5, 2020 8:12 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Storage & tape question
>
> Hello List,
>
> Just wondering ... assuming there's a primary storage product out there that 
> can store how-many-ever hoo-haa-bytes, and is a good product in general, it 
> should make sense to begin eliminating all tape (3490/3590) use right?
> First, ML1 & ML2 in HSM, then HSM itself, then rebuild jobs to write to disk, 
> or do SMS/ACS updates to make it all disk reads/writes.
>
> Looking at the current storage solutions out there, this is possible, right?
> What would be the drawbacks (assume that primary storage is super 
> cost-efficient, so there's no need to archive anything).
>
> -   KB
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> ---
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Storage & tape question

2020-07-05 Thread kekronbekron
Thanks Joel for the detailed response.
As long as there's good backup and restore-testing hygeine, eliminating tape or 
vtape altogether (plus the complexity around it - HSM, OAM, 3490 emulation) ... 
is something doable then.
Benefit would be severely reduced complexity (and cost), which is probably 
worth it.

- KB

‐‐‐ Original Message ‐‐‐
On Sunday, July 5, 2020 7:44 PM, Joel C. Ewing  wrote:

> One of the major historical functional differences between tape-based
> and DASD-based data sets has to do with with ability to recover deleted
> data sets later found to be needed.   You delete a data set on DASD,
> odds are very good something else overwrites that data or all knowledge
> of the location of the old data quickly in seconds, minutes or hours and
> destroys all possibility of recovery.   You delete a data  set on tape,
> the physical tape volume may not be re-used for days or weeks -- or if
> you realized there is an issue, the physical tape volume could be set
> aside and easily kept for archive indefinitely. 
>
> In the old days, an application read a tape master file, did updates,
> wrote out a new tape master file with the same name, and operators put
> physical labels on the tape volumes and just knew how long to keep the
> old physical master volumes and not mount them as output tapes.   That
> design evolved so that master files and other files that needed
> retention became GDG's with "reasonable" limits, with tape volumes
> protected or made eligible for re-use by a tape management system.  In
> theory, such GDGs could just as easily be on DASD as tape.  In practice
> one encountered applications systems where "temp" data sets that were
> originally on tape because of data set size probably should have been
> GDGs but were not; where applications that used to run once a month now
> ran more frequently or irregularly on user demand, and GDG limits and
> data set retention rules had not been increased as much as they should
> have been.  These errors typically don't get detected until there is a
> problem requiring old data to recover.
>
> It is not always possible for application systems to anticipate all
> possible failures, particularly those caused by bad user input where the
> error might not be discovered until much later, or by an operational
> error or JCL design error where incorrect job re-starts could cause
> premature data-set deletion.  Over the decades I saw a number of
> application systems that were able to recover from problems where the
> recovery was either made easier or possible by access to tape data sets
> that had logically scratched but were still physically available.   Even
> virtual tape systems still allow for some leeway on the destruction of
> logically scratched tape volumes, but typically that retention with
> virtual tape was only a matter of days, unless the problem was
> recognized in time to mark the volume for retention in the tape
> management system.
>
> It is even possible to recover the data in the case of a deleted ML2
> data set on tape:  If the physical volume ML2 is still intact and you
> have backups of the HSM CDS data sets before the deletion, an
> independent test/recovery z/OS system can be used to recall the data set
> and save it in a way that can be ported back to the  original system.
>
> So yes, in a perfect world you could just eliminate all tape and replace
> tape data sets with DASD data sets; but this really needs to be
> co-ordinated  with a careful review of application systems to be sure
> that there is proper retention of all data sets potentially needed for
> recovery from data and/or design errors -- and best to err on the side
> of excess retention to guard against the unexpected.  For some
> application systems it might even make sense to ask, what would it take
> to reprocess all data from any starting point in the last x months for
> some value of x.
>     Joel C. Ewing
>
> On 7/5/20 7:12 AM, kekronbekron wrote:
>
> > Hello List,
> > Just wondering ... assuming there's a primary storage product out there 
> > that can store how-many-ever hoo-haa-bytes, and is a good product in 
> > general, it should make sense to begin eliminating all tape (3490/3590) use 
> > right?
> > First, ML1 & ML2 in HSM, then HSM itself, then rebuild jobs to write to 
> > disk, or do SMS/ACS updates to make it all disk reads/writes.
> > Looking at the current storage solutions out there, this is possible, right?
> > What would be the drawbacks (assume that primary storage is super 
> > cost-efficient, so there's no need to archive anything).
> >
> > -   KB
> >
> > ...
>
> --
>
> Joel C. Ewing
>
> --
>
> Fo

Storage & tape question

2020-07-05 Thread kekronbekron
Hello List,

Just wondering ... assuming there's a primary storage product out there that 
can store how-many-ever hoo-haa-bytes, and is a good product in general, it 
should make sense to begin eliminating all tape (3490/3590) use right?
First, ML1 & ML2 in HSM, then HSM itself, then rebuild jobs to write to disk, 
or do SMS/ACS updates to make it all disk reads/writes.

Looking at the current storage solutions out there, this is possible, right?
What would be the drawbacks (assume that primary storage is super 
cost-efficient, so there's no need to archive anything).

- KB

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: IBM Personal Communications font

2020-07-04 Thread kekronbekron
Thank you Giliad, good to know that there's at least one other person who cares 
about fonts in 3270!
>From what I remember, PCOMM 13.x added support for font scaling, so that 
>should help things look better, I'd assume.
However, as for font choice itself, I think it's still the same bunch.

Now that IBM has its own font, I wonder why it hasn't replaced 'IBM3270' with 
the beautiful IBM Plex Mono family.

- KB

‐‐‐ Original Message ‐‐‐
On Saturday, July 4, 2020 1:24 PM, Giliad Wilf 
<00d50942efa9-dmarc-requ...@listserv.ua.edu> wrote:

> Hi All,
>
> Is it possible to configure PCOMM (V6, if it matters) to use a font of choice?
>
> Specifically, I'm interested in "Lucida Console" font, which displays better, 
> clearer at any size.
>
> Thanks
>
> 
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe co-op

2020-07-03 Thread kekronbekron
In fact, if IBM really does consider this, they might as well also build a 
near-real-time security monitoring product for Z, using CDPz as a source pump.
Maybe Z Operations Insight Suite already has security-specific 
dashboard(s)/reports...

- KB

‐‐‐ Original Message ‐‐‐
On Saturday, July 4, 2020 9:22 AM, kekronbekron 
<02dee3fcae33-dmarc-requ...@listserv.ua.edu> wrote:

> Besides, any opportunity that allows others to poke at the platform, is an 
> opportunity well-left (for IBM).
>
> However, since IBM now has controls like
> a) ALLOWUSERKEY
> b) z/OS Authorized Code Scanner
> c) near-real-time interfaces to SMF and tools like CDPz
>
> ... they should be capable of seting up a tightened & fully monitored 
> environment.
> Don't believe the above will allow for messing around / learning HCD & other 
> I/O stuff, without them building an sim/emulated env. for that level of 
> control.
>
> -   KB
>
> ‐‐‐ Original Message ‐‐‐
> On Saturday, July 4, 2020 9:16 AM, kekronbekron wrote:
>
>
> > Would love to know more about what your FICON buddy is working on Grant.
> > If you wanna share (prefer off-list?), please email :)
> > Unless IBM explicitly sets up college courses or NDA-tied free-roam access 
> > or whatever, it's only going to be the likes of zAcademy, i.e., restricted 
> > lab environments to basically market at the command-line, much like walking 
> > the dotten line in an acquarium/zoo/etc. (if you turn to your right, you 
> > can issue 2 commands to Spark on Z)
> > Funny though, because isn't this exactly what Time Sharing Option was, when 
> > it was first introduced?
> >
> > -   KB
> > ‐‐‐ Original Message ‐‐‐
> > On Friday, July 3, 2020 9:48 PM, Grant Taylor 
> > 023065957af1-dmarc-requ...@listserv.ua.edu wrote:
> >
> >
> > > On 7/3/20 10:12 AM, Grant Taylor wrote:
> > >
> > > > I know multiple people that have CPCs.  But they don't currently have
> > > > DASD.  I think at least one of them has a line on legal licenses for
> > > > z/OS for his CPC.
> > >
> > > One of the people I know is developing his own FICON connected DASD by
> > > reading any and all documents he can get his hands on.
> > > What do we, as the mainframe community, and IBM, as the big name, need
> > > to do to encourage these extremely creative, resourceful, and driven
> > > people better access to a functioning mainframe so that they can use
> > > their creative talents and drive to help further the mainframe?
> > > There are a group of hobbyists and enthusiasts that have taken MVS 3.8j,
> > > which decidedly does not include REXX or prerequisites therefor, and
> > > backported (?) REXX to it, including re-creating any prerequisites.
> > > This is the creative and enthusiastic spirit that created Unix 50 years
> > > ago and helped Linux become what it is today. Just think for a moment
> > > where the mainframe could be in 10 or 20 years if even some of these
> > > creative efforts were directed at enhancing the mainframe.
> > > Grant. . . .
> > > unix || die
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe co-op

2020-07-03 Thread kekronbekron
Besides, any opportunity that allows others to poke at the platform, is an 
opportunity well-left (for IBM).

However, since IBM now has controls like
a) ALLOWUSERKEY
b) z/OS Authorized Code Scanner
c) near-real-time interfaces to SMF and tools like CDPz


... they should be capable of seting up a tightened & fully monitored 
environment.
Don't believe the above will allow for messing around / learning HCD & other 
I/O stuff, without them building an sim/emulated env. for that level of control.

- KB

‐‐‐ Original Message ‐‐‐
On Saturday, July 4, 2020 9:16 AM, kekronbekron  
wrote:

> Would love to know more about what your FICON buddy is working on Grant.
> If you wanna share (prefer off-list?), please email :)
>
> Unless IBM explicitly sets up college courses or NDA-tied free-roam access or 
> whatever, it's only going to be the likes of zAcademy, i.e., restricted lab 
> environments to basically market at the command-line, much like walking the 
> dotten line in an acquarium/zoo/etc. (if you turn to your right, you can 
> issue 2 commands to Spark on Z)
>
> Funny though, because isn't this exactly what Time Sharing Option was, when 
> it was first introduced?
>
> -   KB
>
> ‐‐‐ Original Message ‐‐‐
> On Friday, July 3, 2020 9:48 PM, Grant Taylor 
> 023065957af1-dmarc-requ...@listserv.ua.edu wrote:
>
>
> > On 7/3/20 10:12 AM, Grant Taylor wrote:
> >
> > > I know multiple people that have CPCs.  But they don't currently have
> > > DASD.  I think at least one of them has a line on legal licenses for
> > > z/OS for his CPC.
> >
> > One of the people I know is developing his own FICON connected DASD by
> > reading any and all documents he can get his hands on.
> > What do we, as the mainframe community, and IBM, as the big name, need
> > to do to encourage these extremely creative, resourceful, and driven
> > people better access to a functioning mainframe so that they can use
> > their creative talents and drive to help further the mainframe?
> > There are a group of hobbyists and enthusiasts that have taken MVS 3.8j,
> > which decidedly does not include REXX or prerequisites therefor, and
> > backported (?) REXX to it, including re-creating any prerequisites.
> > This is the creative and enthusiastic spirit that created Unix 50 years
> > ago and helped Linux become what it is today. Just think for a moment
> > where the mainframe could be in 10 or 20 years if even some of these
> > creative efforts were directed at enhancing the mainframe.
> >
> > Grant. . . .
> > unix || die
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe co-op

2020-07-03 Thread kekronbekron
Would love to know more about what your FICON buddy is working on Grant.
If you wanna share (prefer off-list?), please email :)

Unless IBM explicitly sets up college courses or NDA-tied free-roam access or 
whatever, it's only going to be the likes of zAcademy, i.e., restricted lab 
environments to basically market at the command-line, much like walking the 
dotten line in an acquarium/zoo/etc. (if you turn to your right, you can issue 
2 commands to Spark on Z)

Funny though, because isn't this exactly what Time Sharing Option was, when it 
was first introduced?

- KB

‐‐‐ Original Message ‐‐‐
On Friday, July 3, 2020 9:48 PM, Grant Taylor 
<023065957af1-dmarc-requ...@listserv.ua.edu> wrote:

> On 7/3/20 10:12 AM, Grant Taylor wrote:
>
> > I know multiple people that have CPCs.  But they don't currently have
> > DASD.  I think at least one of them has a line on legal licenses for
> > z/OS for his CPC.
>
> One of the people I know is developing his own FICON connected DASD by
> reading any and all documents he can get his hands on.
>
> What do we, as the mainframe community, and IBM, as the big name, need
> to do to encourage these extremely creative, resourceful, and driven
> people better access to a functioning mainframe so that they can use
> their creative talents and drive to help further the mainframe?
>
> There are a group of hobbyists and enthusiasts that have taken MVS 3.8j,
> which decidedly does not include REXX or prerequisites therefor, and
> backported (?) REXX to it, including re-creating any prerequisites.
>
> This is the creative and enthusiastic spirit that created Unix 50 years
> ago and helped Linux become what it is today. Just think for a moment
> where the mainframe could be in 10 or 20 years if even some of these
> creative efforts were directed at enhancing the mainframe.
>
>
> -
>
> Grant. . . .
> unix || die
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe co-op

2020-07-03 Thread kekronbekron
Ehh ... docker version of z/OS (containerized z/OS) or a container daemon 
native to z/OS, i.e. building a OCI-compliant container daemon for z/OS, 
managing it with "RedHat's" podman and OpenShift/Kooberneetus?

That is, unlike zCX which is just adding support for running s390x images on 
z/OS, it's going to be native container targeting 'ibmz' or whatever, like 
s390x/x86/ARM.

I think it's the latter.
Should wash my hands for saying the C word these many times.

- KB

‐‐‐ Original Message ‐‐‐
On Saturday, July 4, 2020 1:41 AM, Mike Schwab  wrote:

> IBM is introducing a DOCKER version of z/OS, so you own that image and
> it is loaded as needed. That should give you more isolation from PTFs
> that IBM applies to their base docker image that customers start from.
>
> On Fri, Jul 3, 2020 at 7:15 PM ste...@copper.net ste...@copper.net wrote:
>
> > Years ago, in Silicon Valley, I worked on ACS/OBS WYLBUR. We had a P/390 
> > that I had tuned the I/O for to really speed it up. ACS also sold time on 
> > their systems.
> > Contractually, we were only allowed to charge access costs for the P/390. 
> > It was not to be a "production" machine. So developers could buy access to 
> > it, but not on a "per CPU time" charge and related. We did have a few 
> > takers for the P/390.
> > The system Charles has mentioned has certain caveats and issues. One can't 
> > control their z/OS image, because the DASD for the RES is controlled by the 
> > data center.
> > If one were to obtain a z/OS license, and were to get it to run under KVM, 
> > then one could have a "production" system, where all source is handled, 
> > compiles done, etc., while all system level testing is done on another 
> > image.
> > There are costs with this that have to be overcome.
> > Let's take a look into the future: IBM is going to put out a release of VM 
> > and/or z/OS that will not run on a z/?? CEC and that is the one you have 
> > (or SUSE/RHEL, etc. does the same with KVM etc.). You will now have to 
> > migrate to another machine. Can you get that machine on the used market at 
> > a good price?
> > Meanwhile, you must have HLASM and probably want to have the toolkit 
> > (separately chargeable as I understand it). You will need all the compilers 
> > being used COBOL, PL/1, c/C++, etc.. Can you get them under a development 
> > license?
> > Ok, let's say you can. You may need to have a small machine that is used 
> > for compiles so that you do not have to pay for the compilers on the bigger 
> > box.
> > Given that you are going to have those who are doing development where they 
> > will need to have multiple CPUs, what you want is the slowest machine you 
> > can get (sub-model?) but with 4-6 General CPs for race condition testing.
> > Now depending on the number of people/entities interested in this system, 
> > one may need multiple LPARs and possibly CECs to handle the workload.
> > If I could (and because of who I work for, and for those of you who think I 
> > work for Humana, I did at one time, but things change...), I would go to a 
> > University or college and propose this: A Mainframe Academic center. And I 
> > would tie that with somehow teaching COBOL (it ain't dead, and it is still 
> > growing), and possibly CICS & DB2. If IBM still does an academic licensing 
> > thing, then this is the cheapest way to go that I am aware of. And if you 
> > can get the school to do an open semester year tuition allowing one to do 
> > self directed studies
> > Believe me, with all the outsourced contractors I deal with who have 
> > degrees in IT Theory and absolutely no PROGRAMMING experience outside of 
> > some OO language, I could see this being something that might get some 
> > traction since with COVID-19 we just found out that we can do classes 
> > virtually to anywhere (those of us who have been working from Home for 
> > decades already knew that).
> > And you might get certain companies to throw in their tools, such as z/XDC 
> > for a low price.
> > Ok, maybe more than 2 cents, but these are my observations having done some 
> > of this before Outsourcing organizations became Cloud companies.
> > THE HEADACHE not yet mentioned is, one may not be able to get support for 
> > this system. So one may have to wait until a production machine somewhere 
> > hits your problem to get an APAR/PTF.
> > Regards,
> > Steve Thompson
> > --- charl...@mcn.org wrote:
> > From: Charles Mills charl...@mcn.org
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: [IBM-MAIN] Mainframe co-op
> > Date: Fri, 3 Jul 2020 11:41:52 -0700
> > A model to look at might be the IBM Innovation Center, Dallas.
> > The price is higher than what I picture as your target: $550/month and up 
> > IIRC. You get two dedicated VM virtual machines: one that runs CMS and that 
> > you use as a console. You can do limited console automation with Rexx. And 
> > one on which you IPL z/OS. The z/OS -- any current version that you want -- 
> > runs from shared 

Re: Announcement: CICS Auxiliary Trace Visualizer (new version 2.0)

2020-07-02 Thread kekronbekron
Very cool, thank you!

- KB

‐‐‐ Original Message ‐‐‐
On Thursday, July 2, 2020 12:52 PM, Andrew Armstrong 
 wrote:

> Hi all,
>
> I've recently modernised the aux2svg rexx procedure - which, until now, was 
> packaged as an example in the RexxXMLParser github repository and CBT FILE647 
> - and moved it to a separate github respository at:
>
> https://github.com/abend0c1/aux2svg
>
> The new version (which I last updated in 2005!) now supports CICS TS 5 
> auxiliary traces. Not a lot has changed since CICS TS 3, except for a few new 
> trace domains, but quite a lot has improved in the SVG area since then so I 
> thought it was time for an update.
>
> In summary, aux2svg creates a graphical representation of a CICS auxiliary 
> trace printout by using Scalable Vector Graphics (SVG). The SVG markup 
> represents the trace data in the form of a Unified Modelling Language (UML) 
> Sequence Diagram (or at least something quite like it). You can view the 
> resulting HTML file using any modern web browser.
>
> The aim is to help you resolve CICS problems more easily.
>
> The aux2svg example in https://github.com/abend0c1/rexxxmlparser has been 
> replaced with a comment redirecting you to the new repository.
>
> Enjoy!
>
> Andrew.
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: IPSEC Configuration and Performance

2020-07-02 Thread kekronbekron
Ditto, sorry to go "off-topic" again ... I hope IBM is reading this, and hope 
they look to adding WireGuard support on Z.
>From what little I know, WireGuard is far more manageable and performant than 
>IPSec & IKEv2.
Adding WireGuard support to z/OS shouldn't be too much of a "deviation" too, 
considering that the Linux kernel and OpenBSD now come baked-in with WG.

Link - https://www.wireguard.com/

- KB

‐‐‐ Original Message ‐‐‐
On Thursday, July 2, 2020 4:11 AM, Grant Taylor 
<023065957af1-dmarc-requ...@listserv.ua.edu> wrote:

> On 7/1/20 1:49 PM, Crawford, Robert C. wrote:
>
> > We're considering using IPSEC to secure traffic between an internal
> > router and a CICS application. Can anyone on this list give us any
> > hints, tips or gotchas they may have from doing something similar
> > themselves.
>
> I can't help.
>
> But I'd love to be a fly on the wall and learn.
>
> I've also got some questions, but that's more active than fly on the wall.
>
>
> --
>
> Grant. . . .
> unix || die
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread kekronbekron
I believe that's the idea.
Now with zERT being available, more encrypted workload types will get surfaced; 
will probably lead to adding more application/transport types being added under 
AT-TLS's capability.
Just speculation anyway..

What'll be interesting is if AT-TLS evolves to support mTLS (and the dynamic 
cert generation, renewal involved in it) for all the east-west traffic in 
new-age workload.
Starting with a "port" of Let's Encrypt for Z.
Don't know if any of these make sense, just a wild wishlist.

- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, July 1, 2020 10:16 AM, Tom Brennan  
wrote:

> Thanks KB... I think I got my basic question answered, which is that
> one thing AT-TLS was designed for is to encrypt data for TCP/IP programs
> that weren't originally written with encryption. In addition, it sounds
> like even programs that can do their own encryption (i.e. TN3270) can
> also use AT-TLS. If so, that's a smart plan - putting encryption
> processing in one bucket with one set of controls, and one spot to
> update when TLS1.x comes along.
>
> But if I'm wrong with any of the general notes above, please correct me.
>
> On 6/30/2020 9:16 PM, kekronbekron wrote:
>
> > Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ
> > I also got 200 hits for 'AT-TLS' after logging in to share.org; you might 
> > want to do the same to see which of those are the most useful to you.
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Tuesday, June 30, 2020 10:27 PM, Tom Brennan t...@tombrennansoftware.com 
> > wrote:
> >
> > > I've tried to skim some of the AT-TLS doc, and even attended an IBM
> > > webinar last week, but I'm still missing what I imagine are important
> > > background points. Maybe someone here can explain things, but don't
> > > worry too much about it.
> > > Client and server programs like SSH/SSHD call programs such as OpenSSL
> > > to handle the encryption handshake and processing. So when you set
> > > those up, there is no AT-TLS needed for encryption. Same with the
> > > TN3270 server and client, as long as you set that up with keys and
> > > parameters on the host side, and settings on the client side.
> > > I'm thinking because of the name "Application Transparent" that AT-TLS
> > > was made for programs that DON'T have their own logic to call OpenSSL
> > > (or whatever) to do their own encryption. Let's use clear-text FTP as
> > > an example. So somehow, AT-TLS hooks into the processing and provides
> > > an encrypted "tunnel", kind of like VPN does, but only for that one
> > > application. Does that sound correct?
> > > If so, then the encryption is "transparent" to the FTP server code and
> > > FTP does not need to be changed, which I think is the whole idea here.
> > > Yet we now have an encrypted session. Does that sound correct?
> > > Then if so, what happens on the FTP client side? I certainly can't use
> > > the Windows FTP command, for example, because it's not setup for any
> > > kind of encryption. That's kind of my big question here.
> > > On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> > >
> > > > Sweet - thank you
> > > > Lionel B. Dyck <
> > > > Website: https://www.lbdsoftware.com
> > > > "Worry more about your character than your reputation. Character is 
> > > > what you are, reputation merely what others think you are." - John 
> > > > Wooden
> > > > -Original Message-
> > > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf 
> > > > Of kekronbekron
> > > > Sent: Tuesday, June 30, 2020 2:34 AM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: AT-TLS ?
> > > > Hi LBD!,
> > > > Check these out-
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
> > > >
> > > > -   KB
> > > >
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:
> > > >
> > > > > Anyone have any pointers for configuring AT-TLS on z/OS?
> > > > > Lionel B. Dyck <
> > > > > Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
> > > > > "Worry more about your character than your reputation. Ch

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread kekronbekron
Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ

I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want 
to do the same to see which of those are the most useful to you.

- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, June 30, 2020 10:27 PM, Tom Brennan  
wrote:

> I've tried to skim some of the AT-TLS doc, and even attended an IBM
> webinar last week, but I'm still missing what I imagine are important
> background points. Maybe someone here can explain things, but don't
> worry too much about it.
>
> Client and server programs like SSH/SSHD call programs such as OpenSSL
> to handle the encryption handshake and processing. So when you set
> those up, there is no AT-TLS needed for encryption. Same with the
> TN3270 server and client, as long as you set that up with keys and
> parameters on the host side, and settings on the client side.
>
> I'm thinking because of the name "Application Transparent" that AT-TLS
> was made for programs that DON'T have their own logic to call OpenSSL
> (or whatever) to do their own encryption. Let's use clear-text FTP as
> an example. So somehow, AT-TLS hooks into the processing and provides
> an encrypted "tunnel", kind of like VPN does, but only for that one
> application. Does that sound correct?
>
> If so, then the encryption is "transparent" to the FTP server code and
> FTP does not need to be changed, which I think is the whole idea here.
> Yet we now have an encrypted session. Does that sound correct?
>
> Then if so, what happens on the FTP client side? I certainly can't use
> the Windows FTP command, for example, because it's not setup for any
> kind of encryption. That's kind of my big question here.
>
> On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
>
> > Sweet - thank you
> > Lionel B. Dyck <
> > Website: https://www.lbdsoftware.com
> > "Worry more about your character than your reputation. Character is what 
> > you are, reputation merely what others think you are." - John Wooden
> > -Original Message-
> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> > kekronbekron
> > Sent: Tuesday, June 30, 2020 2:34 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: AT-TLS ?
> > Hi LBD!,
> > Check these out-
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:
> >
> > > Anyone have any pointers for configuring AT-TLS on z/OS?
> > > Lionel B. Dyck <
> > > Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
> > > "Worry more about your character than your reputation. Character is
> > > what you are, reputation merely what others think you are." - John
> > > Wooden
> > >
> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions, send email 
> > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Installing Java

2020-06-30 Thread kekronbekron
hi Gadi,


Perhaps the hold data will allow the APPLY job to figure out that only the 
latest ones in the chain actually need to be applied.
Ones in the chain may be superseded, so it's always worth an APPLY CHECK to see 
what's going on.

When downloading, the packaging system may be blindly pulling together related 
fixes, but I'm hoping the SMPHOLD will make the actual apply make sense.


- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, June 30, 2020 12:44 PM, Gadi Ben-Avi  wrote:

> Hi,
> When I ordered z/OS v2.4, I only ordered the 64 bit version of Java.
> When we tried to start PFA, it failed. A quick search showed that PFA 
> requires the 31 bit version of java.
> I ordered it using shopzseries.
> The resulting package was over 13GB.
> It looks like I have the base version and over 50 PTF's that upgrade it to 
> the current version.
>
> Can I prevent SMP/E from installing all of those versions, and just install 
> the final fix?
> From past experience I know that each PTF is a full replacement of the who 
> java SDK.
>
> Gadi
>
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-30 Thread kekronbekron
Hi LBD!,

Check these out-


http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:

> Anyone have any pointers for configuring AT-TLS on z/OS?
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation. Character is what
> you are, reputation merely what others think you are." - John Wooden
>
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Base SYSPLEX setup

2020-06-01 Thread kekronbekron
Just curious .. why does it have to be FICON CTC, why can't it be SMC-D/R or 
HiperSockets or one of those ICA-SR (or whatever it's called) connectors IF 2 
machines are involved.


- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 1, 2020 6:29 PM, Allan Staller  wrote:

> See the manuals "Setting up a SYSPLEX" and "Merging Systems Into A SYSPLEX". 
> Both can be found on the IBM zOS Library site.
> Some key items not available in a base sysplex:
>
> GRS START (use CTC for inter-image communication.
> VTAM Generic resources, VTAM MNPS
> RACF data sharing (RACF sysplex communications is available)
> Many others. All are described in Setting Up a SYSPLEX
>
> HTH,
> -Original Message-
> From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> Brian Westerman
>
> Sent: Sunday, May 31, 2020 2:05 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Base SYSPLEX setup
>
> [CAUTION: This Email is from outside the Organization. Unless you trust the 
> sender, Don’t click links or open attachments as it may be a Phishing email, 
> which can steal your Information and compromise your Computer.]
>
> Hi,
>
> I'm looking for information on how to set up a base SYSPLEX with only Ficon 
> CTC's that seem to be referred to as XCF CTC's.
>
> I'm sure someone had done this before and is probably doing it now for 
> Multiple LPARs that are running on the same processor CEC. Configuration help 
> (parms etc.) would be greatly appreciated. I think all we need to do to 
> connect the 3 existing LPARs is purchase 2 FICON cards (we currently have no 
> extras). Unfortunately, the IBM docs seem to talk a lot about the full 
> parallel sysplexes (with Coupling facilities), but we don't have them, and 
> they seem to be a great deal more expensive than FICON cards which are all we 
> need to implement GRS anyway (that's our goal). We can also apparently create 
> a virtual CF, but the overhead appears to be far greater than we can spare.
>
> Any CXF CTC setup information would be greatly appreciated.
>
> Thanks
>
> Brian
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> ::DISCLAIMER::
>
> The contents of this e-mail and any attachment(s) are confidential and 
> intended for the named recipient(s) only. E-mail transmission is not 
> guaranteed to be secure or error-free as information could be intercepted, 
> corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses 
> in transmission. The e mail and its contents (with or without referred 
> errors) shall therefore not attach any liability on the originator or HCL or 
> its affiliates. Views or opinions, if any, presented in this email are solely 
> those of the author and may not necessarily reflect the views or opinions of 
> HCL or its affiliates. Any form of reproduction, dissemination, copying, 
> disclosure, modification, distribution and / or publication of this message 
> without the prior written consent of authorized representative of HCL is 
> strictly prohibited. If you have received this email in error please delete 
> it and notify the sender immediately. Before opening any email and/or 
> attachments, please check them for viruses and other defects.
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SHARE annouce plans for an online SHARE was Re: Yechnical

2020-05-18 Thread kekronbekron
Oh SHARE... please have a free-to-attend option.
Not many people (apart from the regulars) know about SHARE to begin with (not 
disrespecting, just comparing the SHARE audience count vs the number of 
mainframers in real world) ... so a free-to-attend option would be a welcome 
gift for those who at least know it exists but are not in the US!


- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, May 19, 2020 8:16 AM, Ed Jaffe  wrote:

> On 5/18/2020 4:53 PM, Jesse 1 Robinson wrote:
>
> > This decision was prompted by the Boston mayor's announcement that 
> > gatherings of >100 would not be allowed until Labor Day at least. SHARE was 
> > scheduled for early August. The event is under reconstruction.
>
> You've got an extra zero there, my friend. Walsh's announcement said
> gatherings > TEN would be disallowed.
>
> I think SHARE was 1430+ in Pittsburgh, so either way something had to be
> done.
>
>
> --
>
> Phoenix Software International
> Edward E. Jaffe
> 831 Parkview Drive North
> El Segundo, CA 90245
> https://www.phoenixsoftware.com/
>
>
> ---
>
> This e-mail message, including any attachments, appended messages and the
> information contained therein, is for the sole use of the intended
> recipient(s). If you are not an intended recipient or have otherwise
> received this email message in error, any use, dissemination, distribution,
> review, storage or copying of this e-mail message and the information
> contained therein is strictly prohibited. If you are not an intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of this email message and do not otherwise utilize or retain this email
> message or any or all of the information contained therein. Although this
> email message and any attachments or appended messages are believed to be
> free of any virus or other defect that might affect any computer system into
> which it is received and opened, it is the responsibility of the recipient
> to ensure that it is virus free and no responsibility is accepted by the
> sender for any loss or damage arising in any way from its opening or use.
>
> 
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: IBM Developerworks is gone!

2020-05-06 Thread kekronbekron
In before Martin chimes in with his treasure trove - 
https://mainframeperformancetopics.com/


- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, May 6, 2020 10:41 PM, Barkow, Eileen 
<02bc504b1642-dmarc-requ...@listserv.ua.edu> wrote:

> https://developer.ibm.com/ seems to have some useful things like tutorials,
> but I cannot find any forums for reporting problems and answering questions.
>
> -Original Message-
> From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> scott Ford
> Sent: Wednesday, May 6, 2020 1:04 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: IBM Developerworks is gone!
>
> Cheryl,
>
> Amen, I agree. The Developerworks information is valuable for all.
> IBM must stop, who do we need to write to ?
>
> Scott
>
> On Wed, May 6, 2020 at 12:49 PM Cheryl Watson che...@watsonwalker.com
> wrote:
>
> > Hi all,
> > Remember when IBM went through and deleted from their websites what
> > they considered "old" manuals and documentation? Well, they just did it 
> > again!
> > They've removed all the DeveloperWorks articles that have provided
> > such excellent information since its creation. And these aren't just
> > OLD articles. Even a link from three months ago is gone. All
> > references to DeveloperWorks are now directed to a nothing site. The
> > DeveloperWorks website contained amazing articles from some of the top
> > developers in their fields, many of whom are no longer still working
> > at IBM. We understand that IBM "furloughed" them, but they don't have to 
> > furlough their ideas.
> > I'm pleading with all of you who work for a large IBM customer to ask
> > your management to tell IBM to stop this idiotic practice. There is NO
> > reason to delete valuable information.
> > If this is due to marketing wanting a new image, then they have no
> > idea what image they're creating.
> > Please do this for all of us!
> > All my best,
> > Cheryl Watson
> > Watson & Walker, Inc.
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> Scott Ford
> IDMWORKS
> z/OS Development
>
> 
>
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> This e-mail, including any attachments, may be confidential, privileged or 
> otherwise legally protected. It is intended only for the addressee. If you 
> received this e-mail in error or from someone who was not authorized to send 
> it to you, do not disseminate, copy or otherwise use this e-mail or its 
> attachments. Please notify the sender immediately by reply e-mail and delete 
> the e-mail from your system.
>
> ---
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Print/copy one record of each type/subtype

2020-04-21 Thread kekronbekron
Sir,

You are an absolute legend.
Thank you 3000.

‐‐‐ Original Message ‐‐‐
On Tuesday, April 21, 2020 9:08 PM, Sri h Kolusu  wrote:

> Kekron,
>
> > I'm looking to get 1 record for each type-subtype combination.
> > That is, 1 rec of 30_1, 1 of 30_2, and so on.
>
> AFAIK SMF records which have a subtype are
> 2,30,32,33,41,42,70-79,84,86,88,89,92,94,96,97,98,106,108 and 113 . If you
> have any other record type that have a subtypes then you can add them as a
> symbol and also add them to INCLUDE cond.
>
> Most of the records have the subtype at position 23 except for record type
> 84, The subtype for record type 84 is at position 25. So you just need
> an INREC statement to build that record type differently.
>
> So you can use the following DFSORT JCL to get the desired results. A
> brief explanation of the job.
>
> STEP0100 - Deletes the output file it existed.
> STEP0200 - Extracts 1 sub-type record for each record that has a subtype.
> STEP0300 - Verification step that creates 2 reports. Record type count and
> another Record type + Sub type Count
>
> You can just run the first 2 steps. the 3rd step is optional
>
> (See attached file: SMFEXT.txt)
>
> Thanks,
> Kolusu
> DFSORT Development
> IBM Corporation
>
> IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU wrote on
> 04/20/2020 09:32:36 PM:
>
> > From: kekronbekron 02dee3fcae33-dmarc-requ...@listserv.ua.edu
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Date: 04/20/2020 09:33 PM
> > Subject: [EXTERNAL] Re: Print/copy one record of each type/subtype
> > Sent by: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU
> > Hi Kolusu,
> > We are all forever grateful for your DFSORT help, thank you :)
> > I'm looking to get 1 record for each type-subtype combination.
> > That is, 1 rec of 30_1, 1 of 30_2, and so on.
> > A bit disappointed that I can read VB/VBS with RECFM=U in the DD, in
> > a JCL (in order to read BDW/RDW), but that throws the whole concept
> > of 'logical record'.
> > So ... just wondering if there's a way to get sample records with
>
> BDW/RDW.
>
> > ‐‐‐ Original Message ‐‐‐
> > On Monday, April 20, 2020 11:16 PM, Sri h Kolusu skol...@us.ibm.com
>
> wrote:
>
> > > Kekron,
> > > Are you looking for a summary of subtypes for every smf record? I wrote
>
> an
>
> > > ICETOOL job for Cheryl Watson's newsletter under "User Experiences and
> > > Tips" which lists the count how many records it found of each type and
> > > subtype and produce a little report saying something like:
> > > TYPE SUBTYPE COUNT
> > > 30 1 18446
> > > 30 2 2788
> > > 30 3 49083
> > > 30 4 49326
> > > 30 5 19162
> > > 30 6 210
> > > 41 3 41
> > > ...
> > > or
> > > Do you need to write out the first record for each subtype? Let me know
>
> the
>
> > > requiement and I will show you a way to get it done using DFSORT.
> > > Thanks,
> > > Kolusu
> > > DFSORT Development
> > > IBM Corporation
>
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Print/copy one record of each type/subtype

2020-04-20 Thread kekronbekron
Hi Kolusu,


We are all forever grateful for your DFSORT help, thank you :)
I'm looking to get 1 record for each type-subtype combination.
That is, 1 rec of 30_1, 1 of 30_2, and so on.

A bit disappointed that I can read VB/VBS with RECFM=U in the DD, in a JCL (in 
order to read BDW/RDW), but that throws the whole concept of 'logical record'.
So ... just wondering if there's a way to get sample records with BDW/RDW.


‐‐‐ Original Message ‐‐‐
On Monday, April 20, 2020 11:16 PM, Sri h Kolusu  wrote:

> Kekron,
>
> Are you looking for a summary of subtypes for every smf record? I wrote an
> ICETOOL job for Cheryl Watson's newsletter under "User Experiences and
> Tips" which lists the count how many records it found of each type and
> subtype and produce a little report saying something like:
>
> TYPE SUBTYPE COUNT
>
> 30 1 18446
> 30 2 2788
> 30 3 49083
> 30 4 49326
> 30 5 19162
> 30 6 210
> 41 3 41
> ...
>
> or
>
> Do you need to write out the first record for each subtype? Let me know the
> requiement and I will show you a way to get it done using DFSORT.
>
> Thanks,
> Kolusu
> DFSORT Development
> IBM Corporation
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Print/copy one record of each type/subtype

2020-04-20 Thread kekronbekron
Hello!

When working with VBS files, I reckon it's easiest to get 1 of each (SMF record 
type & subtype) using DFSORT.
Are there easier ways?
Can y'all please help with a sample for picking such unique RTY_STY using DFSORT

Thanks in advance, I'm a complete DFSORT n00b.

Kekron

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN